Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Unspuriousness.exe

Overview

General Information

Sample name:Unspuriousness.exe
Analysis ID:1449684
MD5:cc513534268b5bb9f7a0b68505ce8878
SHA1:e50b5568fd6b14351d192b18c499eb0cf6b645d8
SHA256:332e4719b852f9111d01430672130b1c700ce8c74b2636db2f639b9987cec7c3
Infos:

Detection

GuLoader
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Machine Learning detection for sample
Mass process execution to delay analysis
Obfuscated command line found
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Too many similar processes found
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Unspuriousness.exe (PID: 6520 cmdline: "C:\Users\user\Desktop\Unspuriousness.exe" MD5: CC513534268B5BB9F7A0B68505CE8878)
    • cmd.exe (PID: 3568 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5088 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6276 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6496 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5288 cmdline: cmd /c set /a "0x75^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6304 cmdline: cmd /c set /a "0x4E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6476 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5088 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6392 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6716 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6276 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6536 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6368 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4500 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7044 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5288 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2504 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6536 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5088 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6392 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5244 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6368 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4228 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6388 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 732 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4228 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6532 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6276 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6404 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4040 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1272 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6388 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6020 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6048 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2588 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2564 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 736 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4500 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5288 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4020 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1196 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6496 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2080 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6716 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6476 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5244 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3468 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4040 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2564 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4340 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4476 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1836 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6020 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1272 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6024 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4228 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6944 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd /c set /a "0x6D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2520 cmdline: cmd /c set /a "0x74^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6016 cmdline: cmd /c set /a "0x68^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4476 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4020 cmdline: cmd /c set /a "0x6A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2992 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 732 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5740 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1700 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2816 cmdline: cmd /c set /a "0x70^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5100 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6024 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6016 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3060 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6016 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5480 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x63^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2588 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2816 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6024 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x0B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2564 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2492 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1028 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3568 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1376 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6536 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7044 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3192 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4944 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6388 cmdline: cmd /c set /a "0x1F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6532 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3412 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7044 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5308 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4476 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2588 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2212 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3568 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2992 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4268 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 824 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4480 cmdline: cmd /c set /a "0x5E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6332 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6024 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6844 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7000 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4460 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6032 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2588 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3412 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6280 cmdline: cmd /c set /a "0x10^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 928 cmdline: cmd /c set /a "0x56^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4428 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2564 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3060 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1596 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 796 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2812 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4340 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5740 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7044 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5652 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6332 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x4D^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6476 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4460 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4088 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1228 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4268 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3468 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4336 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6944 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3396 cmdline: cmd /c set /a "0x17^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3120 cmdline: cmd /c set /a "0x1F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7072 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6104 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2816 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5952 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1836 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2792 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1596 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4944 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6248 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6892 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7000 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3428 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x4B^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3468 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4336 cmdline: cmd /c set /a "0x50^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2228 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6940 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4948 cmdline: cmd /c set /a "0x52^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6252 cmdline: cmd /c set /a "0x08^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3152 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6296 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5468 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7044 cmdline: cmd /c set /a "0x79^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3736 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5012 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6820 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 796 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3796 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3152 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6296 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4548 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2992 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 736 cmdline: cmd /c set /a "0x13^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5980 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6292 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1908 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1596 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6872 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2496 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6940 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6848 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7016 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1228 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6392 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6556 cmdline: cmd /c set /a "0x1F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5320 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd /c set /a "0x11^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1612 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6696 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6976 cmdline: cmd /c set /a "0x1E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 692 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 7116 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5100 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x53^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2364 cmdline: cmd /c set /a "0x55^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3176 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4340 cmdline: cmd /c set /a "0x43^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4456 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4268 cmdline: cmd /c set /a "0x15^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd /c set /a "0x14^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1440 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 736 cmdline: cmd /c set /a "0x1C^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4048 cmdline: cmd /c set /a "0x65^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5228 cmdline: cmd /c set /a "0x47^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1612 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2708 cmdline: cmd /c set /a "0x4A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3904 cmdline: cmd /c set /a "0x71^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6388 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 692 cmdline: cmd /c set /a "0x48^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5816 cmdline: cmd /c set /a "0x42^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6040 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6352 cmdline: cmd /c set /a "0x51^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2212 cmdline: cmd /c set /a "0x76^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1396 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1988 cmdline: cmd /c set /a "0x49^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6316 cmdline: cmd /c set /a "0x45^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3180 cmdline: cmd /c set /a "0x67^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1608 cmdline: cmd /c set /a "0x0E^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1440 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5000 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1908 cmdline: cmd /c set /a "0x54^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5840 cmdline: cmd /c set /a "0x12^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1900 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3568 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3428 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2196 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2200 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6008 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1144 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6128 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6668 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2112 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 2436 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3520 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3704 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3056 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 1376 cmdline: cmd /c set /a "0x0A^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5960 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6496 cmdline: cmd /c set /a "0x4F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3344 cmdline: cmd /c set /a "0x06^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 5080 cmdline: cmd /c set /a "0x16^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 928 cmdline: cmd /c set /a "0x0F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 704 cmdline: cmd /c set /a "0x5F^38" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: Unspuriousness.exe PID: 6520JoeSecurity_GuLoader_3Yara detected GuLoaderJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Machine Learning detection for sample
    Source: Unspuriousness.exeJoe Sandbox ML: detected
    Source: Unspuriousness.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: Unspuriousness.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: Unspuriousness.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_004052BD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004052BD
    Source: conhost.exeProcess created: 225
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess Stats: CPU usage > 49%
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile created: C:\Windows\resources\0809Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_004066E30_2_004066E3
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00404AFA0_2_00404AFA
    Source: Unspuriousness.exe, 00000000.00000000.1645746965.0000000000453000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs Unspuriousness.exe
    Source: Unspuriousness.exeBinary or memory string: OriginalFilenameimplementeredes smelters.exeDVarFileInfo$ vs Unspuriousness.exe
    Source: Unspuriousness.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
    Source: cmd.exe, 000000C2.00000002.1855781419.0000000002847000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: EXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBP
    Source: classification engineClassification label: mal60.troj.evad.winEXE@550/20@0/0
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_0040326A EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,InitOnceBeginInitialize,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040326A
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_0040457E GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_0040457E
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00402095 CoCreateInstance,0_2_00402095
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile created: C:\Users\user\AppData\Local\outsplendourJump to behavior
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5284:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2692:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3992:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4460:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1028:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3468:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3668:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3736:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2060:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6248:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:180:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3520:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:928:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3568:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6228:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5000:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6556:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2228:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1028:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1612:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1144:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1196:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2496:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5088:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3412:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3592:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1168:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2344:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3332:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7016:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1448:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6276:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1900:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5288:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1820:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1608:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2696:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6844:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6460:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6392:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3120:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1836:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6352:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4268:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5212:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5468:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2332:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1892:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4020:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3056:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2124:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2588:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1908:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3068:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2024:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4812:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1376:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2992:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:824:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4336:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2784:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4048:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5480:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3796:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3020:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4944:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:796:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4548:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6032:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1220:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5292:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3152:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6020:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:480:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6944:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3176:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1404:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5244:120:WilError_03
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile created: C:\Users\user\AppData\Local\Temp\nscC2D0.tmpJump to behavior
    Source: Unspuriousness.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile read: C:\Users\desktop.iniJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile read: C:\Users\user\Desktop\Unspuriousness.exeJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Unspuriousness.exe "C:\Users\user\Desktop\Unspuriousness.exe"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: uxtheme.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: shfolder.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: propsys.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: riched20.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: usp10.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: msls31.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: textinputframework.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: coreuicomponents.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: coremessaging.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: wintypes.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: textshaping.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: Unspuriousness.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

    Data Obfuscation

    barindex
    Yara detected GuLoader
    Source: Yara matchFile source: Process Memory Space: Unspuriousness.exe PID: 6520, type: MEMORYSTR
    Obfuscated command line found
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x51^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x63^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_10002DE0 push eax; ret 0_2_10002E0E
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile created: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Unspuriousness.exeFile created: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX

    Malware Analysis System Evasion

    barindex
    Mass process execution to delay analysis
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"
    Source: C:\Users\user\Desktop\Unspuriousness.exeWindow / User API: threadDelayed 366Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\nsExec.dllJump to dropped file
    Source: C:\Users\user\Desktop\Unspuriousness.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dllJump to dropped file
    Source: C:\Users\user\Desktop\Unspuriousness.exe TID: 6664Thread sleep time: -36600s >= -30000sJump to behavior
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00406362 FindFirstFileW,FindClose,0_2_00406362
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00405810 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_00405810
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_004027FB FindFirstFileW,0_2_004027FB
    Source: C:\Users\user\Desktop\Unspuriousness.exeAPI call chain: ExitProcess graph end nodegraph_0-4450
    Source: C:\Users\user\Desktop\Unspuriousness.exeAPI call chain: ExitProcess graph end nodegraph_0-4455
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,0_2_10001B18
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x75^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x79^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x74^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x68^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x48^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x10^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x15^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x17^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x70^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x08^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x52^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x50^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x13^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x11^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x43^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0E^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x55^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x4A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x71^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x42^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x49^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x45^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x14^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x6D^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x53^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x54^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x0A^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x12^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x1C^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x06^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x16^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x56^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c set /a "0x5F^38"Jump to behavior
    Source: C:\Users\user\Desktop\Unspuriousness.exeCode function: 0_2_00406041 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406041
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
    Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    DLL Side-Loading    		1
    Access Token Manipulation    		11
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network Medium1
    System Shutdown/Reboot
    CredentialsDomainsDefault Accounts1
    Command and Scripting Interpreter    		Boot or Logon Initialization Scripts11
    Process Injection    		1
    Virtualization/Sandbox Evasion    		LSASS Memory1
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Clipboard Data    		Junk DataExfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts1
    Native API    		Logon Script (Windows)1
    DLL Side-Loading    		1
    Access Token Manipulation    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Process Injection    		NTDS1
    Time Based Evasion    		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    Deobfuscate/Decode Files or Information    		LSA Secrets2
    File and Directory Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Time Based Evasion    		Cached Domain Credentials3
    System Information Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Obfuscated Files or Information    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 1449684 Sample: Unspuriousness.exe Startdate: 30/05/2024 Architecture: WINDOWS Score: 60 40 Yara detected GuLoader 2->40 42 Machine Learning detection for sample 2->42 8 Unspuriousness.exe 2 112 2->8         started        process3 file4 36 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 8->36 dropped 38 C:\Users\user\AppData\Local\...\System.dll, PE32 8->38 dropped 44 Obfuscated command line found 8->44 46 Mass process execution to delay analysis 8->46 12 cmd.exe 8->12         started        14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        18 269 other processes 8->18 signatures5 process6 process7 20 conhost.exe 12->20         started        22 conhost.exe 14->22         started        24 conhost.exe 16->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        32 266 other processes 18->32 process8 34 conhost.exe 20->34         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    Unspuriousness.exe5%ReversingLabs
    Unspuriousness.exe100%Joe Sandbox ML

    Dropped Files

    SourceDetectionScannerLabelLink
    C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll0%ReversingLabs
    C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\nsExec.dll0%ReversingLabs

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://nsis.sf.net/NSIS_ErrorErrorUnspuriousness.exefalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1449684
    Start date and time:2024-05-30 17:32:37 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 12m 15s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:549
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:Unspuriousness.exe
    Detection:MAL
    Classification:mal60.troj.evad.winEXE@550/20@0/0
    EGA Information:
    • Successful, ratio: 100%
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 59
    • Number of non-executed functions: 28
    Cookbook Comments:
    • Found application associated with file extension: .exe
    • Override analysis time to 240000 for current running targets taking high CPU consumption

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe
    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
    • Not all processes where analyzed, report is missing behavior information
    • Report size exceeded maximum capacity and may have missing behavior information.
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetInformationFile calls found.
    • Report size getting too big, too many NtWriteVirtualMemory calls found.
    • VT rate limit hit for: Unspuriousness.exe

    Simulations

    Behavior and APIs

    TimeTypeDescription
    11:34:16API Interceptor64x Sleep call for process: Unspuriousness.exe modified

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
    C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\nsExec.dllOrder_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
      Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exeGet hashmaliciousGuLoaderBrowse
        SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
          SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exeGet hashmaliciousGuLoaderBrowse
            SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                SecuriteInfo.com.Mal.Generic-S.9895.exeGet hashmaliciousGuLoaderBrowse
                  SecuriteInfo.com.Mal.Generic-S.31925.exeGet hashmaliciousGuLoaderBrowse
                    Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                      Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exeGet hashmaliciousGuLoaderBrowse
                        C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll 400 EUR.exeGet hashmaliciousGuLoader, RemcosBrowse
                          400 EUR.exeGet hashmaliciousGuLoaderBrowse
                            pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                              pagamento240529.bat.exeGet hashmaliciousGuLoaderBrowse
                                ordinazione d acquisto 00299344.bat.exeGet hashmaliciousGuLoaderBrowse
                                  ordinazione d acquisto 00299344.bat.exeGet hashmaliciousGuLoaderBrowse
                                    Factura_pdf.exeGet hashmaliciousGuLoaderBrowse
                                      Factura_pdf.exeGet hashmaliciousGuLoaderBrowse
                                        shipping documents_pdf.exeGet hashmaliciousGuLoaderBrowse
                                          shipping documents_pdf.exeGet hashmaliciousGuLoaderBrowse

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):11776
                                            Entropy (8bit):5.655335921632966
                                            Encrypted:false
                                            SSDEEP:192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
                                            MD5:EE260C45E97B62A5E42F17460D406068
                                            SHA1:DF35F6300A03C4D3D3BD69752574426296B78695
                                            SHA-256:E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
                                            SHA-512:A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: 400 EUR.exe, Detection: malicious, Browse
                                            • Filename: 400 EUR.exe, Detection: malicious, Browse
                                            • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                            • Filename: pagamento240529.bat.exe, Detection: malicious, Browse
                                            • Filename: ordinazione d acquisto 00299344.bat.exe, Detection: malicious, Browse
                                            • Filename: ordinazione d acquisto 00299344.bat.exe, Detection: malicious, Browse
                                            • Filename: Factura_pdf.exe, Detection: malicious, Browse
                                            • Filename: Factura_pdf.exe, Detection: malicious, Browse
                                            • Filename: shipping documents_pdf.exe, Detection: malicious, Browse
                                            • Filename: shipping documents_pdf.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\nsExec.dll

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):6656
                                            Entropy (8bit):5.139253382998066
                                            Encrypted:false
                                            SSDEEP:96:s7fhfKaGgchPzxK6bq+pKX6D8ZLidGgmkN838:UbGgGPzxeX6D8ZyGgmkN
                                            MD5:1B0E41F60564CCCCCD71347D01A7C397
                                            SHA1:B1BDDD97765E9C249BA239E9C95AB32368098E02
                                            SHA-256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
                                            SHA-512:B6D7925CDFF358992B2682CF1485227204CE3868C981C47778DD6DA32057A595CAA933D8242C8D7090B0C54110D45FA8F935A1B4EEC1E318D89CC0E44B115785
                                            Malicious:false
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 0%
                                            Joe Sandbox View:
                                            • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                            • Filename: Order_request_0003352030_Arcelormittal_837478220293874639220654_documents.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.W32.AIDetect.malware2.20337.14221.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Mal.Generic-S.9895.exe, Detection: malicious, Browse
                                            • Filename: SecuriteInfo.com.Mal.Generic-S.31925.exe, Detection: malicious, Browse
                                            • Filename: Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe, Detection: malicious, Browse
                                            • Filename: Ormat - RFQ-IMP 90881-00 5427-92407732DO4328105678387203.exe, Detection: malicious, Browse
                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L...[..V...........!......................... ...............................P.......................................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\outsplendour\urite\Nonimpressionable\Ungilded75.Fio

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):195235
                                            Entropy (8bit):7.642789004810419
                                            Encrypted:false
                                            SSDEEP:3072:Lh44CEaOZgAeOcILMp3dMge6kRHuwY//q7+2Ga+Vz3ayIKS5WN4cg0:L5fKAeOr2agpOHuR674a+uKSA+c9
                                            MD5:0EA5EC2CDE9E10EA5D160298ACCBC3AE
                                            SHA1:567B2F68A8F1B7C08B0669937DAEB9B971A719B0
                                            SHA-256:B7DD8EC12FFAED7D51CA972106B9B0869C72DFAABC9031CC4708C473A78B73FB
                                            SHA-512:523E6944D7B6AD91A4A5C5B8241158B63BE29BDF0C62204BBA9736453D46748C6DC8F30B794543B9623F94FF2D10A3FED65A842230240AD5AC678EC8C2F1F228
                                            Malicious:false
                                            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                            C:\Users\user\AppData\Local\outsplendour\urite\Permanentet\Provincializes\suspend.unh

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8188
                                            Entropy (8bit):4.984630631981175
                                            Encrypted:false
                                            SSDEEP:96:RDq3NihxmhrRyHl7kw6ONznzGdpc+oViKcXddk0UWHLXw1WWUuWl8yVaPz3g:R2cmCFUONTzGLoVUX3L3H77ta3g
                                            MD5:78AEF8A8B0425EA50D018A0A0A00407F
                                            SHA1:75CBF326AAF381449343AB34E7B9B6D151BF6632
                                            SHA-256:6C85C6EAA06602968F61999D902B8434AF8353F64F50329C1E8A4100E6734384
                                            SHA-512:34C2399709870EF0406299D5EFC51A3A6E222A763FC9DF0E794A6C1F5D79F0834D862D8B14BEAB52C8ADEA26A5029DA2D5533F8C673E769BB3C760630FF4F3C4
                                            Malicious:false
                                            Preview:;.0.....N.....g....w...P......B0......}I..$c.}.......#...m......Z..........Q.....j........8..1..?.U..v...........D......zm............`..... .....C._............u..7............ef_...`v).........~..!.......l..j~Z..q.6.......:...............B.x"|..R. .....%...1....c..|4.......4.......q7...9T....r..$..H..{.......7.O..........8....;....s.X....+.....r..Q..t........5....d.v........a...=....P9S.........l..y'....&..................%...*..7.*...Q.....G...P.x..H............+...........a.......^....j.8.......m....T.8.8.....Y.......+I.H.....e...........>.......`...........c.r..%........b.............i..........o...N./.w..........(.......[.......M.."..`........w..Y........PL.......L......................S........._...|.i.?i~.M................^.4........+.'.......................)..j..............)....}.........."..k..........D......L.D......................w..s.........z%..0........;.........N..............O..w....!^.d..$.........%.......R....y.......z.......E.........g..Ad.......1.....

                                            C:\Users\user\AppData\Local\outsplendour\urite\Permanentet\Provincializes\udlaansrenten.txt

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):407
                                            Entropy (8bit):4.186911394455087
                                            Encrypted:false
                                            SSDEEP:6:CHreC6uMP8pWM9LgtpEMhEhOAIEWtw48ITxakAoWSASnu+E5SP5rt:CH6Tdw19yBMABadExakAonF85Ct
                                            MD5:7737810DEB8E7F00B5CE121EEB189BCB
                                            SHA1:AD3C8C01DF6557FF6D425C5DDD6D25E5D111A045
                                            SHA-256:4D6F4DE1AB65601030F536223F8A38DB16FBADBA9FC376332ABE9F352F86D191
                                            SHA-512:77DECB08D6404699BC7201D5489087D215B65A35DE67CB7888ED22EEAEBD0FF866E314F940F5344E9DA8254B7755616D3D3EDABB1E44B0A3067B4BEC0527BEF0
                                            Malicious:false
                                            Preview:negligerer unslumbering trylletaster avlingers linjetllernes spaaedes,rejselotteriets mesocaecal konklusionerne paatage varmeovn sljdens armilla uninformatively gleesomeness..beskeler pinnywinkles fremtidsbyerne eksproprieringsplaner mellemkomsts afflated..underdealing turboventilator fauster.udslgendes collaborativeness rearisen aabningstalerne angie mortensen natklubberne,landzoneloven frowzled anapst.

                                            C:\Users\user\AppData\Local\outsplendour\urite\Permanentet\styknumre.por

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):6952
                                            Entropy (8bit):4.884923989192729
                                            Encrypted:false
                                            SSDEEP:192:WLwMpWNgncchv7F5XymzLsRRTdCVfPnhw:+zpaP2vfXyEsbdCdPn2
                                            MD5:8C001DE6006342839D659DD9F4CEED6C
                                            SHA1:9CA07429FE6EB3361B410259342E1AFF3760662B
                                            SHA-256:C38D73BF73394459CEFB655A178D65C4EFC982AACC568151B58C53A9428A4CE8
                                            SHA-512:AB14D2372A08B0B3D8AEFD8DD3679CF51DA00563741B1B3D5480FEE7A84AA072F5BB9547717AEB41B3A1ACE550A93E934177E7394D1782505A86CB5D9C5979D6
                                            Malicious:false
                                            Preview:..1...........<.5....Er...k.......n..../........ ............).....K..`.Z.....s..q.Y......../..v../....u,..#&...<.....1........2..>.Z..1..(g..I......-?.;........q......:.;.....W5.c._......8F......0..#.D.......1..\..==..................6.........L............f..........9..h..........:.N....N....................#.....uJ...]....j.....Z.-..R... ..!...........b..>......f...V............:v..?.?^........M...G.]...x.....w...p.Y....................."...z...=......:i...T...l...v....................../.....N....{|.}.....\.s...........1...V..x....V!O...T....X...Am................d........b..._..........................................[5.......b.v...........}.......e......K...u.$.C.....l..........-.u...M..K..p.....)........Z...M....wR..Q..8.:."....A....&p..c.............=........h..............`....w.....F.(..........&.....g.......Z..f;....Z..d......Y...k......... .......=......#......[.....s..e..........0..........Y..g*..........0..x.....u...I.....&..]..h...@...]...........5P.....^i.......

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\Brandmands51.has

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):10972
                                            Entropy (8bit):4.892382175452858
                                            Encrypted:false
                                            SSDEEP:192:XyK9IqhE+2QhmCRCB25juJbLHtRkBJSi0u3m7nolq:X7Xh40mCwB2u3sii0u0olq
                                            MD5:E0793D711445D7E23F4BF69AD2A0A681
                                            SHA1:625855A515D5D0EBCED8427DFD458610E4246992
                                            SHA-256:340C748D418A36BC4A555D2B06092FB41FB725B039A364C97C1EABD7EF50AE43
                                            SHA-512:2408AB5E5E1EE1A4D0F0A24FC97FB9073C329FADB0DA45A492DA11F9C82B52040C2AF7353DB43F435E324D5FD18DD05F77F743D3CC8720C098A97DF5EDBA16CD
                                            Malicious:false
                                            Preview:..........1......5.....Y.9..L......P...t.=...i...J....S......5.......^..........................(............................v.....s .......h............&..O........................\...S........q`!.................!...+....(...f.....M.....7...............*....E....C.N.....{..u...].h?...............j..............7..2!........36b..............ep.........?.....5...................r.~.............'h..g..........,.....{.....r.q.-...........ZH.0.o..................B.......'..}m.Q.f...C....My.y...M......j..................j....2...z].^}......u$...x....7....#{..........M0].n..x......=J..A...Ql..g..B......c.A............[.;...T.........jO1......S...........Z.7.2..o.G.........,..&...................................g...........&..-.N..........Y...y...Y.....Y..............k"............._..P.B.....2.<.$...%.....XB........o.........#........................,.....$I......An.........]...Fz..@..6O=C0.....Z..........dq.z....s..'.....0.........+...%....._....}...........M.0...........t..2.

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\Byggeforeningerne.for

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1593
                                            Entropy (8bit):4.7827969913861095
                                            Encrypted:false
                                            SSDEEP:24:b2AXtJt6jnNT9OlGUJoRugPF9acO2QqA3hmRk1KnR+sjI0RAW9RqOw5FMHGcacn:iAXDt6DNxOA9RFPzlgqiQn5kW9hwHh+
                                            MD5:1A4CA94F39ADCBD05E127607CC9993A0
                                            SHA1:1C6249E76B3DD5315B2A3DFBBC1E02DFBF754E47
                                            SHA-256:FC840AA82122EB9EEC1D032D25104F8C9BFBFE1671BF6A268841A53967312041
                                            SHA-512:21FF66988075EFD4F15EF001BED597CBB37791721F55CEA55140ECB9B95F51E64D6A248D8E5677595EA1AF1B62A0EAD54584264D5211798F4141A43CEE1525E9
                                            Malicious:false
                                            Preview:.u..u.........o+.o.rQ.......zJ$Y..5....T..1.h.....9F.....#...^...2....N............C.t..(.r.8............X.I.{..Z.........O..i...&.a...,..................6~....el....h...........F...`.....`.....................K.................O..............w)..~................./....a.r......m....U[.h....................'........D........M..b..........R.......................:.....X.......-.8.:...@...@.....;P..B....x.x...........P.....}.Rs]......5[...................nn.|..C...g...........9........Vb....G........%../...j........9.......H..EX......s.J........'..........................8..........+f.3...?........."....Y...#...%......\........5.....\.k.............,.,.......w&.y.C...:U......7w.....A...U.FO........m.............K......*O...............T...........:... ...)X........]..x......f..@.z.......*....`...;..F.,^=8........J...........8.........!...z...D...Q.....U.f..........'............p.........3.................v.]q....e."g....\.........^O...)......................~_....E..t........

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\Foliebakkers.ter

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:ASCII text, with very long lines (63672), with no line terminators
                                            Category:dropped
                                            Size (bytes):63672
                                            Entropy (8bit):2.668676125677066
                                            Encrypted:false
                                            SSDEEP:768:fSk69tCIRTkfSmWJ9mJyv878kdEcbCJUG3AY3/uVKEuuwVK8LR3OE+ijNfotZr9+:qz2aNJdn/n26uKNu3A4g
                                            MD5:3806D31D045EEB882F3A76BC8685B213
                                            SHA1:789B017BC41D248AB2D3A0216A113236A23455FF
                                            SHA-256:D03723DD271D86AFCDBC5417C17630C93F7C393E7B293BCE79EA2C86604D8D92
                                            SHA-512:09B9D8947480F9228AC694A426E719BD86BCF6EE54BC707478A9A137164FBD4A7B6EAAE6785BBCA97D0BA290AF7B6C189BB4D0393FCE9833A16EEC9282572289
                                            Malicious:false
                                            Preview:00EEEEEEEE00CECECE006B0000DFDF000046000000292900D0000000CB005E5E007B7B7B7B0000001B1B0000006D6D6D6D00CD00000000E8E8E800FC00EFEFEF00000011002800002E2E004B4B005A004D4D000000000000000000005B000000001300C8C800005555555555000045005000E30000000096960000DFDF000026262600000019001717170000AF000000AFAFAF000000E7E7000000C0C0C000E2E2008E00F10000003C00000089898900000023230000004A4A0000272727272700003A3A0000560000000900000000720093005C00B100007200000000BABA0060606000000000BD00DD003F00000000007F00212100BCBCBCBCBC000000CFCFCF00000000AD00D500B2B200000000F1F1F1F1F1F1F1F1008A8A8A0000000051006F00747474740000D8D8D8D8D8D8D800000000003500B00000E1E100001D00A3A3A300BABA000000ADAD005500770000E6E600CF000000D0D00000000000B400000000C9C9003D3D001B1B1B1B00DF0000FAFAFAFA00828282002500A5007F7F7F7F7F00F8005555550000A600FF00000000A5A500003939390000F4F400BC00006F0000000000590000AE000050500000000000A0008000000000E30044440000000062000D0D0000E5E500000000001A003400360000001100000606003D0000007D00000000F60000000000C9008E000C00

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\aka.uom

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):9832
                                            Entropy (8bit):4.90925380839641
                                            Encrypted:false
                                            SSDEEP:192:HnR06jz+VjB9QBI/H2YcXvdQfYF+KK1ZC5AzRwjDKrb2z5AH:HnRyV99cIvelFPKKAzRD
                                            MD5:12B0BCE3AE0573AE1276CD87F0709898
                                            SHA1:57CDCEB9E98CB606D25371FCB8A4903C556D7733
                                            SHA-256:279A405D723F09D5453D71C6C76F1C3A3B792EDB9D1D1EC3D82D66A60A63CD40
                                            SHA-512:1493904679F5E9E0708AA38F884EAFC8799EDD53FB0BDF53578F25CE50AD387BEA89E113C1918D8455FEF552F7740AC9EAB8ABDA422EC69EAEC0FB412EEE2F5D
                                            Malicious:false
                                            Preview:..j.....R.............Z.;.....6............l...............W.............$o.c.......V....Z.....$.........tc.................................i.... ..L?JQ...e...k.....G..UZ2...........I........G...k.........g..................Nq...Wb.....@....Y.......<...........j....D.\.....p.B..j......$.m.o.)..........w..........^..m..'....6............S..........A........GF...y..$...5F.E...?Du.........G...U......o...........#............C....4?......l...k.j.......l...../......(..8...#.................G......2.....vx......$......................b-..#...'..... ..d!..j.2....`z.g.H.H........5..../L.......q.............8..........$`1..6...~g.....\...F.....p.........Z.S.<C ..9..~.0.w........=....%.N....h.....`....Q.+......Y..........NP..."................r.&.......W.....h......B..........3...>.T.`.......................'.......:..f..S....=p.s.=Z...d..kx.....x\..1V...S.A.....`..n:.....G....=....LRv.........8.....W..#J..........r........n.1...|.`.........................F..H...c..../..6.............

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\Flaskeaabneren\naturbeskyttelsen.god

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):2277
                                            Entropy (8bit):4.8720546744219755
                                            Encrypted:false
                                            SSDEEP:48:PCdrJOcv/Q/KFpuMOFkNvf2afRsRX6FpAa4dr67fx3:K9vI6TWQRAKzAa1rx3
                                            MD5:A6ECDF28D8D760E514B38D9B6F0C0484
                                            SHA1:3A5E930136BD8AF3355C0E0ABCA117C75EE08C38
                                            SHA-256:30B4447E0B81B9FD6F712A9F8530E1097C0A597BFCDC45C6A24960F31DF0BD01
                                            SHA-512:82E0B63671BC1E0A810B8EDFF5B05F68C9A0EB49E845434CAA2E4B7848CF86D48123F09E8A7F2524D6B626428EDCB810B2ABE4390E829D6D1160819F7E4884F2
                                            Malicious:false
                                            Preview:.......!...(...}..x.m.....<.....'...Y..........[..&.j...c...........].*..%........S.."..- .......:..4....D...E.....U-........".......oC.9....k.......2/...z...#................0.......7..F..O.v!.......%........\..........k........b..1)..........y....Y.>..#.................\...........nN.....f..........Q.........h{.m..v..D.X.]Q.........'..^.........#...]I..............3................V.<.Z2q.#...s.........s.b............Z.......h....@...6.....T..=.............J.z.F..r......x..._..................5..}.m...L.h........@h....G.......L.........x6.......[..........2...L....r<.>.w.1.w........y.......}1e..........|.d......)......e................@...6................J........M..m..pJ..^..m.4..............?....#)................k.......:....F..r..} ciy...E..h..E...........G.......W....{............c.@3..?....................(m..........x......J....8...............F.e7...U.........".....#.j.........]....L........Bas.........{.S.W.2[.............=........Y....1...........O..~......n..y...

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\Flaskeaabneren\opkrvningsgebyrer.met

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):10093
                                            Entropy (8bit):4.908874815539876
                                            Encrypted:false
                                            SSDEEP:192:XvFnwZwrcwIJJ8kQsSNTeW/dM/88oKT2RqNLkeU8QoHt:X8wIJNQ76SaxKRcQWQat
                                            MD5:69E5D2DAB77C9AC0FAD016A8CC132888
                                            SHA1:B80B8984AB6A92C42A6DAD69504E9AF4D6432334
                                            SHA-256:E0592100712DB5131F94AE72FCF2D4808023558293DBD6ACEB909E0A713A922E
                                            SHA-512:3EF2CD6257FB623737F5B19CFE0F801A0B03431FAF6909D709498B488EF795E072BB4613DBDDDB2E58BCB12D64F1695A676685AB8AE2BCADC0D621432EAD705A
                                            Malicious:false
                                            Preview:...\.. E..T.%............H.,.....-........'...........<.......c.....lIQ.....;...<.._.......................<...F.......2...........>......L[....(..................4...........Y.-.....?.9/..b............zj..5..&.....c.........M..h........,0..[.E......(.p......p......c......^.....;.0....E.n...S!...b..........u<.J../.......xv.....9#................~j...%.......S<..R......=[.C....~.........7.q..z..Y.......7....H...cp.....v......F...(...Jl...........eO..(."..........$.......z...E..3.................].........#....i.....v........c.Y....T.`........f..o.@....S...'..M...........V..6.......k............T.Y...5............r.....|Q....-...*...............k.....}...P.h.GTK..=.L....S.......5........M6...............T....A...{.....n..a)....V>..................S......0.......B..0.........HN.............9NU...z..................4..XV..I1.?........[f...P.9..w.......W,..a.Z..=.....<S.....M4..e.....u.........[..........+.|........J..........J..9...B...a....D...X..........tV.[...G....'..Q..5.P...

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\Flaskeaabneren\refinished.oro

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8927
                                            Entropy (8bit):4.947192103826229
                                            Encrypted:false
                                            SSDEEP:192:TOCOnoHxdeGzvacRYUOmmHRZCzUIRPWskihdFgPXdbX:TuoRdeialUPWRI425SPJX
                                            MD5:3FF2675B3FE540E5406AE3A47F8E7E1C
                                            SHA1:8C94B6634DCF0CBFE15BD423511EB4B990CD07F3
                                            SHA-256:1BAB29AEB79F9447EF609C1A6152D6E052017A910A8E898970403096B8BED5B6
                                            SHA-512:0F91AF92E9FA06FFDC0149441F89ABD9E61CF78821437694B85A6986A4AE6A29ED701C5BB0F3E3D05F893B88BA2915EE40715C0A69B27D4E24DAAD26AFE4B1E7
                                            Malicious:false
                                            Preview:.:........4.K........NM[.......+......B......Q.[....;@..{.../.....jR........i...^Y.j.............>...P..Gm...?................T./...........Pl..'..:....b......Y...)....|....g.....$...........................R.....5.....6.... .............S...........................3.A.?.\.....F..........6..>........C..*....A...V..............m.....%W..?4...........s.....".....^...A.r...P...........N.8E..9.w.....+......Q........P.&..4.2..$......_!..........................oz.m.......n..U..1q......K......xV.?..."..C....d..A..I.........M..................E..........'.....u......+.............=........x_.......4....m.W...8.................._.....^I./G..........=..............=..........cF...... .. ...E'.6.Wvr...n...'9.....$.......7 {......F............._..P...M.....;..U.X..-.~.~..X(....-........D.......t......sG.....x\..........#.........'...lM.X...........a.t......]..*...8.+..U.G..v.....&.<|......_U...C.#....D...+.P..T....0...........+7...a........c...>...5..........#.R...........,<...\.

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\Flaskeaabneren\regrator.exo

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):14817
                                            Entropy (8bit):4.973842232000673
                                            Encrypted:false
                                            SSDEEP:384:ExQvLKa9w7TFCEY57YoEFCHmn/OCsQ5kSAnu:YQvLKa+TXYNbE6mnGQ0u
                                            MD5:9857B50710B21F13491FBD4B49CFE2A8
                                            SHA1:928C4B03C509E2743799D1499C4CC6FB5A272B68
                                            SHA-256:903B8858C451A31A068EAD95B9D476879D980B54928DF9BA9191FCF342755188
                                            SHA-512:61F75DA65396525670B3B9A59A26BC9D3D9A0F803F0AC6EFBCF0B6A4AE78F60774DEA6F249021A56E3DAA5DF86EED79DE49F108B781100737078A07E240FA734
                                            Malicious:false
                                            Preview:............1'...B......ad.........o.?T....l..........k.>..]_.(............b...B.......Bg....Y$.H.(.....X.o..U...........F........2...f....(....In...r.........."....@..*5*._.............&..D..m.r....T.R...........~../.y....O./.............U...2.....-...t......q.........w.@..#.L.$|.T......bN..8.....].)..................fo(v...........}................#....J..........=...]....W......K...O..W[.................R..X..........;k.0K.3..."m....I....a...6............"......k.A....."....O...X.M.....A.3.o.A....Z.E.............5..w.......a........................wl...'....].....b...<,....Jp..g.........K.....{K.........|...#...4..p.........t].....b...S....;.?...........8.......c.-.........f.......p........\.q.,`...........*....N;A...'..$........[.........R......P....q....................<.G.]zE......*...............s.......F..........>...~.......mN./.....W......Eip...^c....1...h....I..?..%k..............tL....m...x;.>....#.yw...H................\......H....3.a....J..........C..R.....

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\Flaskeaabneren\sammenstyrtningen.tha

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):3610
                                            Entropy (8bit):4.851625868360139
                                            Encrypted:false
                                            SSDEEP:96:MJ3g/KzKjiuJ2pK2b0+2b/7tLbzt7OU6ueeb9eh:igCzqDJGlKzt/zoueuoh
                                            MD5:09A6BDBFA480990E803035FE0F160769
                                            SHA1:9B93F41DC69F063F418B04D2479E2A21A42C282B
                                            SHA-256:BA70E2856F8F8BA456C19A72D3AE9F8D85B02681C323315AD126836D1E3EDBBB
                                            SHA-512:E349E82A2EF40929EFF522A1C29B5AAF99F3857CE4858B68C9FD700BE657079042EAB84310536DD56A6455DB9005F1B04A9373B8A2EC13E7741961C38E5733C7
                                            Malicious:false
                                            Preview:.........~...s.O.t.......s......=0....?>F..v..w......Z.&.C...............x..."!....X........'.&....p............n....&..2..3..............=..P.......y...............................8..`....P.............'.......W.........D..[n..e....U....X.<....u..j.X..0*?e..........n....g>.S/....'.........!_3 ...........R....../m...Z..;............2....x.N.........nrm..*.}......+..7...L...........[......,...I........... ....M4.......m)d.......Q....0.H. ...2..f.........5.u..C..P.2-.+@)..].............wp...X......H....S.M$.wo.........s...R.0.iG.........O..............1....................7#.........R.8.....J.~.....j.......r............U..F5..`.......W...........l.W..........?.......#......M.s....P1...=........5.8.[....E...}..V.=......................f...}........................g.................l..|.....`...............,..^3........-....!c....y.....\.&1g................................:.........).......{.d.....]....3l..............?........<.....'........Z.....J.....F...^y.O........4.

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\corozos.pro

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):12014
                                            Entropy (8bit):4.886352020865119
                                            Encrypted:false
                                            SSDEEP:192:jTmZZAK4ucJLU4AN9o4R2Ax0cWcqfNPxXa/brhXgzKkhyOFy5KTp/1Lfqofi:jCZm7NRU4g5CzcqfNtU2NhyOIKp/1zqn
                                            MD5:418734ED4634DE7787643A60EA1C8F10
                                            SHA1:AC64409F656F7110C7FCF1987C92DAE67DA5189B
                                            SHA-256:C5021D2B81E9352A27CD57CB3F1C94644CCD5E942A94D42F7533980393653B08
                                            SHA-512:F320C0BEA3835DE1E91C77135EA8B218617D929661D1A666C45DB5A6DF371A439A2E23C6FD16671FB99495BE250B2ACA64B0749A20D831EB2350B680300A5022
                                            Malicious:false
                                            Preview:!.....O#.v...............*.."+...........m...."....5T.i..9.....4..8...T.j./`6...b.....<......_...\......C.......-X.]..._...=.&..-[.......3.......t...g..........^.O.)-....w..E.".n...../......!.sc.....u......5.....j...t.-.....N......N...m.b............j................*.n....K.....7.'.3.....K....$....M.`...e.{........v.....d.dE.Sk...+.w......]2.........`....M.....u.M_...y.........H..#0......i.........].......,......S...n.....|P.6.;..............g.`...E.....$.I.................J...2......~nG.....a9.&.....,...........-....U9...1...l........L.._R.e.......AL...v.......}.......?Z..O...X.........LR.................X7....'...............I.Y_....K...............,.r...........+.._..~|...T....S...z..g...Io.M.Hp5...6Q.....9........ .....7..q..............m.n....]......67....of...........,...........o......]..7..x..K.....l............8.@.......o...c.>....L..........G......y......H..3.I....l.........Y....V........p.!......&..x,...............p..1.....{W.<......@../....z.................5.

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\dysens.for

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):10093
                                            Entropy (8bit):4.921304550843908
                                            Encrypted:false
                                            SSDEEP:192:DZ8rRF5ahaphjNo0D8isfxagfOzUZt5Dn6OnNeTQMpIXDiqFTJ6dd3UwJzB0KW:98FB20+tO0tnhn3MpITiqju/J2P
                                            MD5:9060008E461A11F15F9BDEE09706F2AC
                                            SHA1:F32FBA221B0465E653089E1102D909641DB4592C
                                            SHA-256:9A120EBD44CB869A97371818103EC064399E6CBE04089D0C8711FCEF98F1E2ED
                                            SHA-512:23E81C7955822F2D4D86E59D4DB76171FFBB8C17CAA722C2A080304BA6F2AEF61F5CE6C221F8828D3E7C231C8C83E34529BE9338321EF4F151DC980CA1E9A85D
                                            Malicious:false
                                            Preview:..p....... C.3.....M..q..3d...M.5.J.!...F.9Z...q...Qx.La..XJ..../..........@.........O.N...i<_..@...........N|w.1...lc...o....kfn.f..O.......ov......5.c...$>.q........!.....&!{........D.=....C......>~....U....{...........Z.I.$....N....?.....E........1....f........?...s........S............M...........<.................d..........%............~....o...........+]^.............2.....].!...F................W89.7..........^.....*.....t.8NF......@..Wke..........g............m.................=......9........A..........w........|..........X......F.....,.......>....t./......?...'......ZJZ..-6...&=........................&...... \...............P.....YW..K?O.......A.t...................t.....!.......#...$O...B.......1.............\.......v....................xl../..l.....b..9D}..p\k.H\......................r.'..z.....H........A........)........2.....Q...........?...Z...b...................<.....y......n%..&......4.D..&=...............q..~..............L...l...].!............Y.......

                                            C:\Users\user\AppData\Local\outsplendour\urite\Receptionisten30\predisruption\eugenics.sem

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):11275
                                            Entropy (8bit):4.942431684383429
                                            Encrypted:false
                                            SSDEEP:192:nAuaTg5xjp2K6DSBOn3yP1Ar91Jn+7FKVojZvcNMJQlutl/pK:nAFwL6De03yPm9pVo9vcNMJQlO/pK
                                            MD5:58085E9D57CBB196894651B435A4FCEA
                                            SHA1:A47092853C0A3AAE0B9423B2003FF7B0F8957A70
                                            SHA-256:94CE73AFED0065F579AD1AC5D19EF243E1B77446FFE24751FED28317F1578B8A
                                            SHA-512:C3DE1FCD063334E75A05996BCCE2BABB7D6634BD12719D25F29D085AE313A9473DEEC3D52319ABAB79F29CDD4B1664139FC7B2F5E99A9342845542EACACD39AF
                                            Malicious:false
                                            Preview:......>...2..Z.......\.....~{.......2......~.....9..h...d..O.............kS..2..$...II.I.......................*pG...............^eC.......C............6.......]......L.F....4...[.............`TY.I....)...Q{...'...t..M........u.'..1_......J.............s..]..P.............w........d.....7......{.........Nsc.....4....j..............)..............:...G.................L........g.......).8.....@....I...%....;...#7.#.G.Yk..........9.....}....R.................d+ZN...[.........S..........X........(...w...\.U.........a....za....~.......;.......O...........m................+..*......)..M,.....|n4....'h..........S.a..Qu...&....n.......,..3..0.#.@..p...'H....L.....q.....VXp.........../E........&.)......_...........J._.OJ....7........>.........m...E...............o..l3....t..../.QU.............l......`.{b......d.C...........n....R.qs.....~...0]..1*........*..........k....".`..t.%...... ......#..q7...lY...........f..XW..........6.....|.......v.]......R....._.(..>........d.v...........

                                            C:\Users\user\AppData\Local\outsplendour\urite\autograferet\versiculus.fly

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8588
                                            Entropy (8bit):4.888629932145179
                                            Encrypted:false
                                            SSDEEP:192:rMLE0UFUzJTwLJPW11HT2Vb+unZev3NulS69ESBn37o3Q:N0ygJTwRwT2h3svCvJBnD
                                            MD5:E72E4DA0C887E3F827B738F35E0482EC
                                            SHA1:257D468DC970555ABECFF7B05FD696ABDF6A7D40
                                            SHA-256:7C8DA843782B56378C86B6DD3375900E26B2C65DD70CA92CA2825817CE3C8424
                                            SHA-512:AEB104FD5B71E2C850F0F765E06C15A185B44FFAE6419E2047FCEAD27AEF5B158ED41DCC6F30CD8D377F751F845572597DF0C903B2A49D6CC6B5A389D3F6CB40
                                            Malicious:false
                                            Preview:.......j......D..^.......#.....{...W.....h......u...".....l.....m.?........+.........4.~....u(.]..P..........z.q.O........2...{......Y..L..v._.........].....P...`......A..............E....E.b.....Q.!...G.......9..M.P....!....#....2h........M.r......[... tKl...1.}.V.......U...........r[.0...g........d..,.i\{........._......3o.....q.B......L.....1...(...h..y...+[...-......0.2./.0..Lp.......J$W.........F......w.....g...".........[..Q...R.....!.@...........5.....`.|.....}....b,..q.........R~+..........y.....f....PM...D.....t..w/c+..s.].../.........>%.!...Y.Hu..L.............)...$....,\Z=..................f.....1.L.....i..........I.(.z.._..V.^...".....3...............@..L.+c...6\.....!............x...o.|.,.................q...Q......|..n.....9.....(...a.N...B....5........Y<......La..J].....`.....m.x....F.............................H....[....f.....Y........z...@.{....&*....S.......6.............A;.........!.......c............B.r.>......j........U.........L....Q.......M......R...

                                            C:\Users\user\AppData\Local\outsplendour\urite\autograferet\zoomanias.reb

                                            Download File
                                            Process:C:\Users\user\Desktop\Unspuriousness.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):12304
                                            Entropy (8bit):4.929043817018574
                                            Encrypted:false
                                            SSDEEP:192:shTgoifXw8BGeup9Ymc6q/XRxZoQyWKjjI+4iUpZP7tOpSgIo/uunP6QLFx:shbigf7Ymj+ZT9KAs6vOWuPBL3
                                            MD5:E5FF5853BB7E5F30F19224B4B4BC7C0A
                                            SHA1:68493998A1960EBF37F3D96785356698B8113B08
                                            SHA-256:9DACE326D0608440D7103A035D1E4FA5398AC900CD2E7FBF059E0E5E04251649
                                            SHA-512:E654B7B95DDF8A07DE8422C4580DE51F08D7FCBDCB843DD1744C8CE9403AF6185533654320F7EE0F90EFB72EA696CBE93014A06FED513B14F259B8A4CB52172E
                                            Malicious:false
                                            Preview:............\..5..5...S.....s..{....J....$#...........)....Q.I.Q....Z.@@.....Xt..k.+........a....&..\.......3................Hp.......@...r........9.....}q.............,..H...............b..t...&{!.....>.....z....{................e!.....k.................X.................7..I...g....7....................-l...{..Q...e..].E.....,<...}.........7.=.!..Ig.....i...k.b~........................:......3).._...,x......?.I.......#.>...........@....,.s.,...g.......... ....}..z..........-..................&...y)h...x..x............./8.........N...Z...G........;.....2A...B.Y........+F..............R......L...........%p.....%. 6.p...{..W.......................:..H...v.......w.......P.~.,.....s..|...m..........[....c.......t...k......U........;........i........$.........q...%.............g...........H.o..........0.y.................\;^.Q/..._........@..O.x.......W....J{../...I...,............................f....v.}U.sbN....2....;..5.................VT.....5.....A.................|.6.........

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                            Entropy (8bit):7.370254882852528
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:Unspuriousness.exe
                                            File size:511'276 bytes
                                            MD5:cc513534268b5bb9f7a0b68505ce8878
                                            SHA1:e50b5568fd6b14351d192b18c499eb0cf6b645d8
                                            SHA256:332e4719b852f9111d01430672130b1c700ce8c74b2636db2f639b9987cec7c3
                                            SHA512:c3f0f252721beec16d138cd1ab231c66e85c8eaa4659bf19adf5a168b5d20e22f4b0612c52ebbb77862cc0f359f4b962c6402e505b70d8fcb3ba53782ddafc5a
                                            SSDEEP:12288:cB1z1mysVs9SdGV91Kabe5Bi1hQm3hLAKk5UcJEutA:M3siBJKabe5e13lC5UcJI
                                            TLSH:85B4D0A13BDCC823F3C591B4E361E73DC9B0E2650E269513AAA92D5EF17C7759839302
                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P..*_...P...P..NP..*_...P...s...P...V...P..Rich.P..........................PE..L...s..V.................`...*.....

                                            File Icon

                                            Icon Hash:0b5bcd4d6d6f510f

                                            Static PE Info

                                            General

                                            Entrypoint:0x40326a
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                            Time Stamp:0x567F8473 [Sun Dec 27 06:25:55 2015 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:d4b94e8ee3f620a89d114b9da4b31873

                                            Entrypoint Preview

                                            Instruction
                                            sub esp, 000002D4h
                                            push ebp
                                            push esi
                                            push 00000020h
                                            xor ebp, ebp
                                            pop esi
                                            mov dword ptr [esp+0Ch], ebp
                                            push 00008001h
                                            mov dword ptr [esp+0Ch], 00409300h
                                            mov dword ptr [esp+18h], ebp
                                            call dword ptr [004070B0h]
                                            call dword ptr [004070ACh]
                                            cmp ax, 00000006h
                                            je 00007F4C1086A533h
                                            push ebp
                                            call 00007F4C1086D676h
                                            cmp eax, ebp
                                            je 00007F4C1086A529h
                                            push 00000C00h
                                            call eax
                                            push ebx
                                            push edi
                                            push 004092F4h
                                            call 00007F4C1086D5F3h
                                            push 004092ECh
                                            call 00007F4C1086D5E9h
                                            push 004092E0h
                                            call 00007F4C1086D5DFh
                                            push 00000009h
                                            call 00007F4C1086D644h
                                            push 00000007h
                                            call 00007F4C1086D63Dh
                                            mov dword ptr [00429224h], eax
                                            call dword ptr [00407044h]
                                            push ebp
                                            call dword ptr [004072A8h]
                                            mov dword ptr [004292D8h], eax
                                            push ebp
                                            lea eax, dword ptr [esp+34h]
                                            push 000002B4h
                                            push eax
                                            push ebp
                                            push 004206C8h
                                            call dword ptr [0040718Ch]
                                            push 004092C8h
                                            push 00428220h
                                            call 00007F4C1086D22Ah
                                            call dword ptr [004070A8h]
                                            mov ebx, 00434000h
                                            push eax
                                            push ebx
                                            call 00007F4C1086D218h
                                            push ebp
                                            call dword ptr [00407178h]

                                            Rich Headers

                                            Programming Language:
                                            • [EXP] VC++ 6.0 SP5 build 8804

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x74bc0xa0.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x530000x333c0.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x70000x2b8.rdata
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000x5ffa0x6000df2f822ba33541e61d4a603b60bbdbccFalse0.6675211588541666data6.472885474718374IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0x70000x13700x1400a10c5fabf76461b1b26713fde2284808False0.4404296875data5.0714431097950134IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x90000x203180x60045bc104aba688d708375b6b0133d1563False0.5084635416666666data3.9955723529870646IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .ndata0x2a0000x290000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x530000x333c00x33400541dcee2c2ead94a5a2797a312fb5565False0.46985994664634145data5.942286371422245IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x533880x10a00Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.2874765037593985
                                            RT_ICON0x63d880xa400PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9916873094512195
                                            RT_ICON0x6e1880x9600Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.35854166666666665
                                            RT_ICON0x777880x5600Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.3277162063953488
                                            RT_ICON0x7cd880x4400Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3766659007352941
                                            RT_ICON0x811880x2600Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.4496299342105263
                                            RT_ICON0x837880x1200Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4743923611111111
                                            RT_ICON0x849880xa00Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.54375
                                            RT_ICON0x853880x600Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.4811197916666667
                                            RT_DIALOG0x859880x100dataEnglishUnited States0.5234375
                                            RT_DIALOG0x85a880x11cdataEnglishUnited States0.6056338028169014
                                            RT_DIALOG0x85ba80xc4dataEnglishUnited States0.5918367346938775
                                            RT_DIALOG0x85c700x60dataEnglishUnited States0.7291666666666666
                                            RT_GROUP_ICON0x85cd00x84dataEnglishUnited States0.7954545454545454
                                            RT_VERSION0x85d580x328dataEnglishUnited States0.47029702970297027
                                            RT_MANIFEST0x860800x33fXML 1.0 document, ASCII text, with very long lines (831), with no line terminatorsEnglishUnited States0.5547533092659447

                                            Imports

                                            DLLImport
                                            KERNEL32.dllSetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                            USER32.dllGetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
                                            GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                            SHELL32.dllSHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
                                            ADVAPI32.dllRegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                            COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                            ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            No network behavior found

                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:11:33:25
                                            Start date:30/05/2024
                                            Path:C:\Users\user\Desktop\Unspuriousness.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\Unspuriousness.exe"
                                            Imagebase:0x400000
                                            File size:511'276 bytes
                                            MD5 hash:CC513534268B5BB9F7A0B68505CE8878
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:low
                                            Has exited:false

                                            General

                                            Target ID:1
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x53^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:3
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:4
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:6
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:7
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:8
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff70f330000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:9
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x15^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:10
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:11
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x14^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:12
                                            Start time:11:33:31
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:13
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:14
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            General

                                            Target ID:15
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:16
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:17
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x75^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:18
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:19
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:20
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:21
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:22
                                            Start time:11:33:32
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:23
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x51^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:24
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:25
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x71^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:26
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:27
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:28
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:29
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x48^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:30
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:31
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x42^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:32
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:33
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:34
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:35
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x51^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:36
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:37
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:38
                                            Start time:11:33:33
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:39
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:40
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:41
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:42
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:43
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x11^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:44
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:45
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:46
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:47
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:48
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:49
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:50
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:51
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:52
                                            Start time:11:33:34
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:53
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:54
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:55
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4B^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:56
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:57
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:58
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:59
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x50^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:60
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:61
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x45^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:62
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:63
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:64
                                            Start time:11:33:35
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:65
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x52^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:66
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:67
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x08^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:68
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:69
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x42^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:70
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:71
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:72
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:73
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:74
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:75
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:76
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:77
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:78
                                            Start time:11:33:36
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:79
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x79^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:80
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:81
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:82
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:83
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x56^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:84
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:85
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:86
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:87
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x48^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:88
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:89
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:90
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:91
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4B^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:92
                                            Start time:11:33:37
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:93
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:94
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:95
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:96
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:97
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x12^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:98
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:99
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:100
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:101
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:102
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:103
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:104
                                            Start time:11:33:38
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:105
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:106
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:107
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:108
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:109
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:110
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:111
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:112
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:113
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:114
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:115
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:116
                                            Start time:11:33:39
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:117
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:118
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:119
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:120
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:121
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:122
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:123
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:124
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:125
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:126
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:127
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:128
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:129
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:130
                                            Start time:11:33:40
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:131
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:132
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:133
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x17^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:134
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:135
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:136
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:137
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:138
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:139
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:140
                                            Start time:11:33:41
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:141
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:142
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:143
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x08^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:144
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:145
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:146
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:147
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x13^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:148
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:149
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:150
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:151
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x6D^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:152
                                            Start time:11:33:42
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:154
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x63^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:155
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:156
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x74^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:157
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:158
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x68^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:159
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:160
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x63^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:161
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:162
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x6A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:163
                                            Start time:11:33:43
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:164
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x15^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:165
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:166
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x14^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:167
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:168
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:169
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:170
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:171
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:172
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x70^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:173
                                            Start time:11:33:44
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:174
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:175
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:176
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:177
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:178
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x52^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:179
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:180
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x53^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:181
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:182
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x47^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:183
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:184
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:185
                                            Start time:11:33:45
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:186
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x67^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:187
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:188
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:189
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:190
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:191
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:192
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:193
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:194
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x45^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:195
                                            Start time:11:33:46
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:196
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x63^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:197
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:198
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:199
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:200
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:201
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:202
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:203
                                            Start time:11:33:47
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:204
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:205
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:206
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0B^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:207
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:208
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x17^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:209
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:210
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:211
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:212
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:213
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:214
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:215
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:216
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:217
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff72bec0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:218
                                            Start time:11:33:48
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:219
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:220
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:221
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:222
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:223
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:224
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:225
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:226
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:227
                                            Start time:11:33:49
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:228
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x14^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:229
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:230
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:231
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:232
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x11^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:233
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:234
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:235
                                            Start time:11:33:50
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:236
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:237
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:238
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:239
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:240
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:241
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:243
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:false
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:244
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:245
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:246
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:247
                                            Start time:11:33:51
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:248
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:249
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:250
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:251
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:252
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:253
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:254
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:255
                                            Start time:11:33:52
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:256
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x15^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:257
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:258
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:259
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:260
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:261
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:262
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:263
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:264
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:265
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:266
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:267
                                            Start time:11:33:53
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:268
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:269
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:270
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:271
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:272
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x10^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:273
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:274
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x12^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:275
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff71e800000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:276
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:277
                                            Start time:11:33:54
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:278
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x56^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:279
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:280
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x08^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:281
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:282
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:283
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:284
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x12^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:285
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:286
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:287
                                            Start time:11:33:55
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:288
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4B^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:289
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:290
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:291
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:292
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x50^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:293
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:294
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x45^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:295
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:296
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:297
                                            Start time:11:33:56
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:298
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x52^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:299
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:300
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:301
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:302
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:303
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:304
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x79^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:305
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:306
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:307
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:308
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:309
                                            Start time:11:33:57
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:310
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:311
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:312
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:313
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:314
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4D^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:315
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:316
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:317
                                            Start time:11:33:58
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:318
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:319
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:320
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:321
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:322
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:323
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:324
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x13^38"
                                            Imagebase:0x7ff7714f0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:325
                                            Start time:11:33:59
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:326
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:327
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:328
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:329
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:330
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:331
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:332
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:333
                                            Start time:11:34:00
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:334
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x11^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:335
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:336
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x17^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:337
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:338
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:339
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:340
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x520000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:341
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:342
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:343
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:344
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:345
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:346
                                            Start time:11:34:01
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:347
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:348
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:349
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:350
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:351
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:352
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:353
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:354
                                            Start time:11:34:02
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:355
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:356
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x7ff6eef20000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:357
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:358
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x08^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:359
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:360
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:361
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:362
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x11^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:363
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:364
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x7ff6eef20000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:365
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:366
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4B^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:367
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:368
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:369
                                            Start time:11:34:03
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:370
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x50^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:371
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:372
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x45^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:373
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:374
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:375
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:376
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x52^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:377
                                            Start time:11:34:04
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:378
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x08^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:379
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:380
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x42^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:381
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:382
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:383
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:384
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:385
                                            Start time:11:34:05
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:386
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:387
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:388
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:389
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:390
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x79^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:391
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:392
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:393
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:394
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:395
                                            Start time:11:34:06
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:396
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x47^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:397
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:398
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x42^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:399
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:400
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:401
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:402
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:403
                                            Start time:11:34:07
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:404
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:405
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:406
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:407
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:408
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x13^38"
                                            Imagebase:0x7ff68cef0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:409
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:410
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:411
                                            Start time:11:34:08
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:412
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:413
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:414
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:415
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:416
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:417
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:418
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:419
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:420
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x12^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:421
                                            Start time:11:34:09
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:422
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:423
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:424
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:425
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:426
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:427
                                            Start time:11:34:10
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:428
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:429
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:430
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:431
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:432
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x14^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:433
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:434
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:435
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:436
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x11^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:437
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:438
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:439
                                            Start time:11:34:11
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:440
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:441
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:442
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:443
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:444
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:445
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:446
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:447
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:448
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:449
                                            Start time:11:34:12
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:450
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x53^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:451
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:452
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x55^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:453
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:454
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x43^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:455
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:456
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:457
                                            Start time:11:34:13
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:458
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x15^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:459
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:460
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x14^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:461
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:462
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:463
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:464
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x1C^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:465
                                            Start time:11:34:14
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:466
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x65^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:467
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:468
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x47^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:469
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:470
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:471
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:472
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:473
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:474
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x71^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:475
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:476
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:477
                                            Start time:11:34:15
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:478
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x48^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:479
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:480
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x42^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:481
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:482
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:483
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:484
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x51^38"
                                            Imagebase:0x7ff7f74b0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:485
                                            Start time:11:34:16
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:486
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x76^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:487
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:488
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:489
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:490
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x49^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:491
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:492
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x45^38"
                                            Imagebase:0x7ff68cef0000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:493
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:494
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x67^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:495
                                            Start time:11:34:17
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:496
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0E^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:497
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:498
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:499
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:500
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:501
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:502
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x54^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:503
                                            Start time:11:34:18
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:504
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x12^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:505
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:506
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:507
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:508
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:509
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:510
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:511
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:512
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:513
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:514
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:515
                                            Start time:11:34:19
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:516
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:517
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:518
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:519
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:520
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:521
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:522
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:523
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:524
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:525
                                            Start time:11:34:20
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:526
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:527
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:528
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:529
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:530
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:531
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:532
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:533
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:534
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0A^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:535
                                            Start time:11:34:21
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:536
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:537
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:538
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x4F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:539
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:540
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x06^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:541
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:542
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x16^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:543
                                            Start time:11:34:22
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:544
                                            Start time:11:34:23
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x0F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:545
                                            Start time:11:34:23
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:546
                                            Start time:11:34:23
                                            Start date:30/05/2024
                                            Path:C:\Windows\SysWOW64\cmd.exe
                                            Wow64 process (32bit):true
                                            Commandline:cmd /c set /a "0x5F^38"
                                            Imagebase:0x240000
                                            File size:236'544 bytes
                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            General

                                            Target ID:547
                                            Start time:11:34:23
                                            Start date:30/05/2024
                                            Path:C:\Windows\System32\conhost.exe
                                            Wow64 process (32bit):false
                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                            Imagebase:0x7ff7699e0000
                                            File size:862'208 bytes
                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:20.9%
                                              Dynamic/Decrypted Code Coverage:13.7%
                                              Signature Coverage:20.8%
                                              Total number of Nodes:1545
                                              Total number of Limit Nodes:46
                                              execution_graph 5094 10001000 5097 1000101b 5094->5097 5104 10001516 5097->5104 5099 10001020 5100 10001024 5099->5100 5101 10001027 GlobalAlloc 5099->5101 5102 1000153d 3 API calls 5100->5102 5101->5100 5103 10001019 5102->5103 5106 1000151c 5104->5106 5105 10001522 5105->5099 5106->5105 5107 1000152e GlobalFree 5106->5107 5107->5099 5108 402840 5109 402bbf 18 API calls 5108->5109 5111 40284e 5109->5111 5110 402864 5113 405bcf 2 API calls 5110->5113 5111->5110 5112 402bbf 18 API calls 5111->5112 5112->5110 5114 40286a 5113->5114 5136 405bf4 GetFileAttributesW CreateFileW 5114->5136 5116 402877 5117 402883 GlobalAlloc 5116->5117 5118 40291a 5116->5118 5121 402911 CloseHandle 5117->5121 5122 40289c 5117->5122 5119 402922 DeleteFileW 5118->5119 5120 402935 5118->5120 5119->5120 5121->5118 5137 403222 SetFilePointer 5122->5137 5124 4028a2 5125 40320c ReadFile 5124->5125 5126 4028ab GlobalAlloc 5125->5126 5127 4028bb 5126->5127 5128 4028ef 5126->5128 5129 403027 36 API calls 5127->5129 5130 405ca6 WriteFile 5128->5130 5135 4028c8 5129->5135 5131 4028fb GlobalFree 5130->5131 5132 403027 36 API calls 5131->5132 5133 40290e 5132->5133 5133->5121 5134 4028e6 GlobalFree 5134->5128 5135->5134 5136->5116 5137->5124 5138 401cc0 5139 402ba2 18 API calls 5138->5139 5140 401cc7 5139->5140 5141 402ba2 18 API calls 5140->5141 5142 401ccf GetDlgItem 5141->5142 5143 402531 5142->5143 5144 4029c0 5145 402ba2 18 API calls 5144->5145 5146 4029c6 5145->5146 5147 40281e 5146->5147 5148 4029f9 5146->5148 5150 4029d4 5146->5150 5148->5147 5149 406041 18 API calls 5148->5149 5149->5147 5150->5147 5152 405f66 wsprintfW 5150->5152 5152->5147 4007 401fc3 4008 401fd5 4007->4008 4018 402087 4007->4018 4030 402bbf 4008->4030 4010 401423 25 API calls 4016 4021e1 4010->4016 4012 402bbf 18 API calls 4013 401fe5 4012->4013 4014 401ffb LoadLibraryExW 4013->4014 4015 401fed GetModuleHandleW 4013->4015 4017 40200c 4014->4017 4014->4018 4015->4014 4015->4017 4036 406464 WideCharToMultiByte 4017->4036 4018->4010 4021 402056 4084 40517e 4021->4084 4022 40201d 4023 402025 4022->4023 4024 40203c 4022->4024 4081 401423 4023->4081 4039 10001759 4024->4039 4027 40202d 4027->4016 4028 402079 FreeLibrary 4027->4028 4028->4016 4031 402bcb 4030->4031 4095 406041 4031->4095 4034 401fdc 4034->4012 4037 402017 4036->4037 4038 40648e GetProcAddress 4036->4038 4037->4021 4037->4022 4038->4037 4040 10001789 4039->4040 4134 10001b18 4040->4134 4042 10001790 4043 100018a6 4042->4043 4044 100017a1 4042->4044 4045 100017a8 4042->4045 4043->4027 4183 10002286 4044->4183 4166 100022d0 4045->4166 4050 100017cd 4051 1000180c 4050->4051 4052 100017ee 4050->4052 4054 10001812 4051->4054 4055 1000184e 4051->4055 4196 100024a9 4052->4196 4053 100017d7 4053->4050 4193 10002b5f 4053->4193 4060 100015b4 3 API calls 4054->4060 4062 100024a9 10 API calls 4055->4062 4057 100017be 4058 100017c4 4057->4058 4064 100017cf 4057->4064 4058->4050 4177 100028a4 4058->4177 4066 10001828 4060->4066 4067 10001840 4062->4067 4063 100017f4 4207 100015b4 4063->4207 4187 10002645 4064->4187 4071 100024a9 10 API calls 4066->4071 4073 10001895 4067->4073 4218 1000246c 4067->4218 4070 100017d5 4070->4050 4071->4067 4073->4043 4075 1000189f GlobalFree 4073->4075 4075->4043 4078 10001881 4078->4073 4222 1000153d wsprintfW 4078->4222 4079 1000187a FreeLibrary 4079->4078 4082 40517e 25 API calls 4081->4082 4083 401431 4082->4083 4083->4027 4085 405199 4084->4085 4086 40523b 4084->4086 4087 4051b5 lstrlenW 4085->4087 4088 406041 18 API calls 4085->4088 4086->4027 4089 4051c3 lstrlenW 4087->4089 4090 4051de 4087->4090 4088->4087 4089->4086 4091 4051d5 lstrcatW 4089->4091 4092 4051f1 4090->4092 4093 4051e4 SetWindowTextW 4090->4093 4091->4090 4092->4086 4094 4051f7 SendMessageW SendMessageW SendMessageW 4092->4094 4093->4092 4094->4086 4100 40604e 4095->4100 4096 406299 4097 402bec 4096->4097 4129 40601f lstrcpynW 4096->4129 4097->4034 4113 4062b3 4097->4113 4099 406101 GetVersion 4099->4100 4100->4096 4100->4099 4101 406267 lstrlenW 4100->4101 4104 406041 10 API calls 4100->4104 4106 40617c GetSystemDirectoryW 4100->4106 4107 40618f GetWindowsDirectoryW 4100->4107 4108 4062b3 5 API calls 4100->4108 4109 4061c3 SHGetSpecialFolderLocation 4100->4109 4110 406041 10 API calls 4100->4110 4111 406208 lstrcatW 4100->4111 4122 405eec RegOpenKeyExW 4100->4122 4127 405f66 wsprintfW 4100->4127 4128 40601f lstrcpynW 4100->4128 4101->4100 4104->4101 4106->4100 4107->4100 4108->4100 4109->4100 4112 4061db SHGetPathFromIDListW CoTaskMemFree 4109->4112 4110->4100 4111->4100 4112->4100 4120 4062c0 4113->4120 4114 40633b CharPrevW 4118 406336 4114->4118 4115 406329 CharNextW 4115->4118 4115->4120 4116 40635c 4116->4034 4118->4114 4118->4116 4119 406315 CharNextW 4119->4120 4120->4115 4120->4118 4120->4119 4121 406324 CharNextW 4120->4121 4130 405a00 4120->4130 4121->4115 4123 405f60 4122->4123 4124 405f20 RegQueryValueExW 4122->4124 4123->4100 4125 405f41 RegCloseKey 4124->4125 4125->4123 4127->4100 4128->4100 4129->4097 4131 405a06 4130->4131 4132 405a1c 4131->4132 4133 405a0d CharNextW 4131->4133 4132->4120 4133->4131 4225 1000121b GlobalAlloc 4134->4225 4136 10001b3c 4226 1000121b GlobalAlloc 4136->4226 4138 10001d7a GlobalFree GlobalFree GlobalFree 4139 10001d97 4138->4139 4158 10001de1 4138->4158 4140 100020ee 4139->4140 4149 10001dac 4139->4149 4139->4158 4142 10002110 GetModuleHandleW 4140->4142 4140->4158 4141 10001c1d GlobalAlloc 4161 10001b47 4141->4161 4145 10002121 LoadLibraryW 4142->4145 4146 10002136 4142->4146 4143 10001c68 lstrcpyW 4147 10001c72 lstrcpyW 4143->4147 4144 10001c86 GlobalFree 4144->4161 4145->4146 4145->4158 4233 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4146->4233 4147->4161 4149->4158 4229 1000122c 4149->4229 4150 10002188 4152 10002195 lstrlenW 4150->4152 4150->4158 4234 100015ff WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4152->4234 4153 10002148 4153->4150 4165 10002172 GetProcAddress 4153->4165 4154 10002048 4157 10002090 lstrcpyW 4154->4157 4154->4158 4157->4158 4158->4042 4159 10001cc4 4159->4161 4227 1000158f GlobalSize GlobalAlloc 4159->4227 4160 10001f37 GlobalFree 4160->4161 4161->4138 4161->4141 4161->4143 4161->4144 4161->4147 4161->4154 4161->4158 4161->4159 4161->4160 4163 1000122c 2 API calls 4161->4163 4232 1000121b GlobalAlloc 4161->4232 4162 100021af 4162->4158 4163->4161 4165->4150 4174 100022e8 4166->4174 4167 1000122c GlobalAlloc lstrcpynW 4167->4174 4169 10002415 GlobalFree 4173 100017ae 4169->4173 4169->4174 4170 100023d3 lstrlenW 4170->4169 4175 100023d1 4170->4175 4171 100023ba GlobalAlloc 4171->4175 4172 1000238f GlobalAlloc WideCharToMultiByte 4172->4169 4173->4050 4173->4053 4173->4057 4174->4167 4174->4169 4174->4170 4174->4171 4174->4172 4236 100012ba 4174->4236 4175->4169 4240 100025d9 4175->4240 4179 100028b6 4177->4179 4178 1000295b _open 4180 10002979 4178->4180 4179->4178 4181 10002a75 4180->4181 4182 10002a6a GetLastError 4180->4182 4181->4050 4182->4181 4184 10002296 4183->4184 4185 100017a7 4183->4185 4184->4185 4186 100022a8 GlobalAlloc 4184->4186 4185->4045 4186->4184 4191 10002661 4187->4191 4188 100026b2 GlobalAlloc 4192 100026d4 4188->4192 4189 100026c5 4190 100026ca GlobalSize 4189->4190 4189->4192 4190->4192 4191->4188 4191->4189 4192->4070 4194 10002b6a 4193->4194 4195 10002baa GlobalFree 4194->4195 4243 1000121b GlobalAlloc 4196->4243 4198 10002530 StringFromGUID2 4204 100024b3 4198->4204 4199 10002541 lstrcpynW 4199->4204 4200 1000250b MultiByteToWideChar 4200->4204 4201 10002554 wsprintfW 4201->4204 4202 10002571 GlobalFree 4202->4204 4203 100025ac GlobalFree 4203->4063 4204->4198 4204->4199 4204->4200 4204->4201 4204->4202 4204->4203 4205 10001272 2 API calls 4204->4205 4244 100012e1 4204->4244 4205->4204 4248 1000121b GlobalAlloc 4207->4248 4209 100015ba 4211 100015e1 4209->4211 4212 100015c7 lstrcpyW 4209->4212 4213 100015e6 wsprintfW 4211->4213 4214 100015fb 4211->4214 4212->4214 4213->4214 4215 10001272 4214->4215 4216 100012b5 GlobalFree 4215->4216 4217 1000127b GlobalAlloc lstrcpynW 4215->4217 4216->4067 4217->4216 4219 1000247a 4218->4219 4221 10001861 4218->4221 4220 10002496 GlobalFree 4219->4220 4219->4221 4220->4219 4221->4078 4221->4079 4223 10001272 2 API calls 4222->4223 4224 1000155e 4223->4224 4224->4073 4225->4136 4226->4161 4228 100015ad 4227->4228 4228->4159 4235 1000121b GlobalAlloc 4229->4235 4231 1000123b lstrcpynW 4231->4158 4232->4161 4233->4153 4234->4162 4235->4231 4237 100012c1 4236->4237 4238 1000122c 2 API calls 4237->4238 4239 100012df 4238->4239 4239->4174 4241 100025e7 VirtualAlloc 4240->4241 4242 1000263d 4240->4242 4241->4242 4242->4175 4243->4204 4245 100012ea 4244->4245 4246 1000130c 4244->4246 4245->4246 4247 100012f0 lstrcpyW 4245->4247 4246->4204 4247->4246 4248->4209 5153 4016c4 5154 402bbf 18 API calls 5153->5154 5155 4016ca GetFullPathNameW 5154->5155 5156 4016e4 5155->5156 5162 401706 5155->5162 5158 406362 2 API calls 5156->5158 5156->5162 5157 40171b GetShortPathNameW 5159 402a4c 5157->5159 5160 4016f6 5158->5160 5160->5162 5163 40601f lstrcpynW 5160->5163 5162->5157 5162->5159 5163->5162 5174 40194e 5175 402bbf 18 API calls 5174->5175 5176 401955 lstrlenW 5175->5176 5177 402531 5176->5177 5177->5177 5178 4027ce 5179 4027d6 5178->5179 5180 4027da FindNextFileW 5179->5180 5182 4027ec 5179->5182 5181 402833 5180->5181 5180->5182 5184 40601f lstrcpynW 5181->5184 5184->5182 4901 401754 4902 402bbf 18 API calls 4901->4902 4903 40175b 4902->4903 4904 405c23 2 API calls 4903->4904 4905 401762 4904->4905 4906 405c23 2 API calls 4905->4906 4906->4905 5185 4048d4 5186 404900 5185->5186 5187 4048e4 5185->5187 5189 404933 5186->5189 5190 404906 SHGetPathFromIDListW 5186->5190 5196 405748 GetDlgItemTextW 5187->5196 5192 40491d SendMessageW 5190->5192 5193 404916 5190->5193 5191 4048f1 SendMessageW 5191->5186 5192->5189 5194 40140b 2 API calls 5193->5194 5194->5192 5196->5191 5197 401d56 GetDC GetDeviceCaps 5198 402ba2 18 API calls 5197->5198 5199 401d74 MulDiv ReleaseDC 5198->5199 5200 402ba2 18 API calls 5199->5200 5201 401d93 5200->5201 5202 406041 18 API calls 5201->5202 5203 401dcc CreateFontIndirectW 5202->5203 5204 402531 5203->5204 4930 4014d7 4931 402ba2 18 API calls 4930->4931 4932 4014dd Sleep 4931->4932 4934 402a4c 4932->4934 5212 401a57 5213 402ba2 18 API calls 5212->5213 5214 401a5d 5213->5214 5215 402ba2 18 API calls 5214->5215 5216 401a05 5215->5216 5217 40155b 5218 4029f2 5217->5218 5221 405f66 wsprintfW 5218->5221 5220 4029f7 5221->5220 4992 401ddc 4993 402ba2 18 API calls 4992->4993 4994 401de2 4993->4994 4995 402ba2 18 API calls 4994->4995 4996 401deb 4995->4996 4997 401df2 ShowWindow 4996->4997 4998 401dfd EnableWindow 4996->4998 4999 402a4c 4997->4999 4998->4999 5087 4022df 5088 402bbf 18 API calls 5087->5088 5089 4022ee 5088->5089 5090 402bbf 18 API calls 5089->5090 5091 4022f7 5090->5091 5092 402bbf 18 API calls 5091->5092 5093 402301 GetPrivateProfileStringW 5092->5093 5222 401bdf 5223 402ba2 18 API calls 5222->5223 5224 401be6 5223->5224 5225 402ba2 18 API calls 5224->5225 5226 401bf0 5225->5226 5227 401c00 5226->5227 5228 402bbf 18 API calls 5226->5228 5229 401c10 5227->5229 5230 402bbf 18 API calls 5227->5230 5228->5227 5231 401c1b 5229->5231 5232 401c5f 5229->5232 5230->5229 5233 402ba2 18 API calls 5231->5233 5234 402bbf 18 API calls 5232->5234 5235 401c20 5233->5235 5236 401c64 5234->5236 5237 402ba2 18 API calls 5235->5237 5238 402bbf 18 API calls 5236->5238 5239 401c29 5237->5239 5240 401c6d FindWindowExW 5238->5240 5241 401c31 SendMessageTimeoutW 5239->5241 5242 401c4f SendMessageW 5239->5242 5243 401c8f 5240->5243 5241->5243 5242->5243 5244 401960 5245 402ba2 18 API calls 5244->5245 5246 401967 5245->5246 5247 402ba2 18 API calls 5246->5247 5248 401971 5247->5248 5249 402bbf 18 API calls 5248->5249 5250 40197a 5249->5250 5251 40198e lstrlenW 5250->5251 5252 4019ca 5250->5252 5253 401998 5251->5253 5253->5252 5257 40601f lstrcpynW 5253->5257 5255 4019b3 5255->5252 5256 4019c0 lstrlenW 5255->5256 5256->5252 5257->5255 5258 401662 5259 402bbf 18 API calls 5258->5259 5260 401668 5259->5260 5261 406362 2 API calls 5260->5261 5262 40166e 5261->5262 5263 4066e3 5265 406567 5263->5265 5264 406ed2 5265->5264 5266 4065f1 GlobalAlloc 5265->5266 5267 4065e8 GlobalFree 5265->5267 5268 406668 GlobalAlloc 5265->5268 5269 40665f GlobalFree 5265->5269 5266->5264 5266->5265 5267->5266 5268->5264 5268->5265 5269->5268 5270 4019e4 5271 402bbf 18 API calls 5270->5271 5272 4019eb 5271->5272 5273 402bbf 18 API calls 5272->5273 5274 4019f4 5273->5274 5275 4019fb lstrcmpiW 5274->5275 5276 401a0d lstrcmpW 5274->5276 5277 401a01 5275->5277 5276->5277 4249 4025e5 4263 402ba2 4249->4263 4251 4025f4 4252 40263a ReadFile 4251->4252 4253 4026d3 4251->4253 4256 40267a MultiByteToWideChar 4251->4256 4257 40272f 4251->4257 4259 4026a0 SetFilePointer MultiByteToWideChar 4251->4259 4260 402740 4251->4260 4262 40272d 4251->4262 4275 405c77 ReadFile 4251->4275 4252->4251 4252->4262 4253->4251 4253->4262 4266 405cd5 SetFilePointer 4253->4266 4256->4251 4277 405f66 wsprintfW 4257->4277 4259->4251 4261 402761 SetFilePointer 4260->4261 4260->4262 4261->4262 4264 406041 18 API calls 4263->4264 4265 402bb6 4264->4265 4265->4251 4267 405cf1 4266->4267 4268 405d0d 4266->4268 4269 405c77 ReadFile 4267->4269 4268->4253 4270 405cfd 4269->4270 4270->4268 4271 405d16 SetFilePointer 4270->4271 4272 405d3e SetFilePointer 4270->4272 4271->4272 4273 405d21 4271->4273 4272->4268 4278 405ca6 WriteFile 4273->4278 4276 405c95 4275->4276 4276->4251 4277->4262 4279 405cc4 4278->4279 4279->4268 4280 401e66 4281 402bbf 18 API calls 4280->4281 4282 401e6c 4281->4282 4283 40517e 25 API calls 4282->4283 4284 401e76 4283->4284 4298 4056ff CreateProcessW 4284->4298 4287 401edb CloseHandle 4290 40281e 4287->4290 4288 401e8c WaitForSingleObject 4289 401e9e 4288->4289 4291 401eb0 GetExitCodeProcess 4289->4291 4301 406431 4289->4301 4293 401ec2 4291->4293 4294 401ecf 4291->4294 4305 405f66 wsprintfW 4293->4305 4294->4287 4295 401ecd 4294->4295 4295->4287 4299 405732 CloseHandle 4298->4299 4300 401e7c 4298->4300 4299->4300 4300->4287 4300->4288 4300->4290 4302 40644e PeekMessageW 4301->4302 4303 406444 DispatchMessageW 4302->4303 4304 401ea5 WaitForSingleObject 4302->4304 4303->4302 4304->4289 4305->4295 4315 401767 4316 402bbf 18 API calls 4315->4316 4317 40176e 4316->4317 4318 401796 4317->4318 4319 40178e 4317->4319 4377 40601f lstrcpynW 4318->4377 4376 40601f lstrcpynW 4319->4376 4322 4017a1 4378 4059d3 lstrlenW CharPrevW 4322->4378 4323 401794 4326 4062b3 5 API calls 4323->4326 4352 4017b3 4326->4352 4328 4017ef 4384 405bcf GetFileAttributesW 4328->4384 4331 4017c5 CompareFileTime 4331->4352 4332 401885 4334 40517e 25 API calls 4332->4334 4333 40185c 4335 40517e 25 API calls 4333->4335 4343 401871 4333->4343 4336 40188f 4334->4336 4335->4343 4355 403027 4336->4355 4338 40601f lstrcpynW 4338->4352 4340 4018b6 SetFileTime 4342 4018c8 FindCloseChangeNotification 4340->4342 4341 406041 18 API calls 4341->4352 4342->4343 4344 4018d9 4342->4344 4345 4018f1 4344->4345 4346 4018de 4344->4346 4348 406041 18 API calls 4345->4348 4347 406041 18 API calls 4346->4347 4349 4018e6 lstrcatW 4347->4349 4350 4018f9 4348->4350 4349->4350 4353 405764 MessageBoxIndirectW 4350->4353 4352->4328 4352->4331 4352->4332 4352->4333 4352->4338 4352->4341 4354 405bf4 GetFileAttributesW CreateFileW 4352->4354 4381 406362 FindFirstFileW 4352->4381 4387 405764 4352->4387 4353->4343 4354->4352 4357 403040 4355->4357 4356 40306b 4391 40320c 4356->4391 4357->4356 4401 403222 SetFilePointer 4357->4401 4361 403088 GetTickCount 4372 40309b 4361->4372 4362 4031ac 4363 4031b0 4362->4363 4368 4031c8 4362->4368 4365 40320c ReadFile 4363->4365 4364 4018a2 4364->4340 4364->4342 4365->4364 4366 40320c ReadFile 4366->4368 4367 40320c ReadFile 4367->4372 4368->4364 4368->4366 4369 405ca6 WriteFile 4368->4369 4369->4368 4371 403101 GetTickCount 4371->4372 4372->4364 4372->4367 4372->4371 4373 40312a MulDiv wsprintfW 4372->4373 4375 405ca6 WriteFile 4372->4375 4394 406534 4372->4394 4374 40517e 25 API calls 4373->4374 4374->4372 4375->4372 4376->4323 4377->4322 4379 4017a7 lstrcatW 4378->4379 4380 4059ef lstrcatW 4378->4380 4379->4323 4380->4379 4382 406383 4381->4382 4383 406378 FindClose 4381->4383 4382->4352 4383->4382 4385 405be1 SetFileAttributesW 4384->4385 4386 405bee 4384->4386 4385->4386 4386->4352 4388 405779 4387->4388 4389 4057c5 4388->4389 4390 40578d MessageBoxIndirectW 4388->4390 4389->4352 4390->4389 4392 405c77 ReadFile 4391->4392 4393 403076 4392->4393 4393->4361 4393->4362 4393->4364 4395 406559 4394->4395 4396 406561 4394->4396 4395->4372 4396->4395 4397 4065f1 GlobalAlloc 4396->4397 4398 4065e8 GlobalFree 4396->4398 4399 406668 GlobalAlloc 4396->4399 4400 40665f GlobalFree 4396->4400 4397->4395 4397->4396 4398->4397 4399->4395 4399->4396 4400->4399 4401->4356 5278 100018a9 5280 100018cc 5278->5280 5279 10001911 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5282 10001272 2 API calls 5279->5282 5280->5279 5281 100018ff GlobalFree 5280->5281 5281->5279 5283 10001a87 GlobalFree GlobalFree 5282->5283 5284 401ee9 5285 402bbf 18 API calls 5284->5285 5286 401ef0 5285->5286 5287 406362 2 API calls 5286->5287 5288 401ef6 5287->5288 5290 401f07 5288->5290 5291 405f66 wsprintfW 5288->5291 5291->5290 4405 40326a SetErrorMode GetVersion 4406 40329e 4405->4406 4407 4032a4 4405->4407 4408 4063f5 5 API calls 4406->4408 4496 406389 GetSystemDirectoryW 4407->4496 4408->4407 4410 4032bb 4411 406389 3 API calls 4410->4411 4412 4032c5 4411->4412 4413 406389 3 API calls 4412->4413 4414 4032cf 4413->4414 4499 4063f5 GetModuleHandleA 4414->4499 4417 4063f5 5 API calls 4418 4032dd #17 OleInitialize SHGetFileInfoW 4417->4418 4505 40601f lstrcpynW 4418->4505 4420 40331a GetCommandLineW 4506 40601f lstrcpynW 4420->4506 4422 40332c GetModuleHandleW 4423 403344 4422->4423 4424 405a00 CharNextW 4423->4424 4425 403353 CharNextW 4424->4425 4426 40347e GetTempPathW 4425->4426 4436 40336c 4425->4436 4507 403239 4426->4507 4428 403496 4429 4034f0 DeleteFileW 4428->4429 4430 40349a GetWindowsDirectoryW lstrcatW 4428->4430 4517 402dee GetTickCount GetModuleFileNameW 4429->4517 4431 403239 12 API calls 4430->4431 4434 4034b6 4431->4434 4432 405a00 CharNextW 4432->4436 4434->4429 4437 4034ba GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4434->4437 4435 403504 4443 405a00 CharNextW 4435->4443 4480 4035a7 4435->4480 4491 4035b7 4435->4491 4436->4432 4439 403469 4436->4439 4441 403467 4436->4441 4440 403239 12 API calls 4437->4440 4601 40601f lstrcpynW 4439->4601 4446 4034e8 4440->4446 4441->4426 4458 403523 4443->4458 4446->4429 4446->4491 4447 4036f2 4450 403776 ExitProcess 4447->4450 4451 4036fa GetCurrentProcess OpenProcessToken 4447->4451 4448 4035d2 4449 405764 MessageBoxIndirectW 4448->4449 4455 4035e0 ExitProcess 4449->4455 4456 403712 LookupPrivilegeValueW AdjustTokenPrivileges 4451->4456 4457 403746 4451->4457 4453 403581 4602 405adb 4453->4602 4454 4035e8 4625 4056e7 4454->4625 4456->4457 4461 4063f5 5 API calls 4457->4461 4458->4453 4458->4454 4470 40374d 4461->4470 4463 403762 ExitWindowsEx 4463->4450 4467 40376f 4463->4467 4465 403609 lstrcatW lstrcmpiW 4469 403625 4465->4469 4465->4491 4466 4035fe lstrcatW 4466->4465 4642 40140b 4467->4642 4473 403631 4469->4473 4474 40362a 4469->4474 4470->4463 4470->4467 4472 40359c 4617 40601f lstrcpynW 4472->4617 4633 4056ca CreateDirectoryW 4473->4633 4628 40564d CreateDirectoryW 4474->4628 4479 403636 SetCurrentDirectoryW 4481 403651 4479->4481 4482 403646 4479->4482 4545 403868 4480->4545 4637 40601f lstrcpynW 4481->4637 4636 40601f lstrcpynW 4482->4636 4485 406041 18 API calls 4486 403690 DeleteFileW 4485->4486 4487 40369d CopyFileW 4486->4487 4493 40365f 4486->4493 4487->4493 4488 4036e6 4489 405ec0 38 API calls 4488->4489 4489->4491 4618 40378e 4491->4618 4492 406041 18 API calls 4492->4493 4493->4485 4493->4488 4493->4492 4494 4056ff 2 API calls 4493->4494 4495 4036d1 CloseHandle 4493->4495 4638 405ec0 MoveFileExW 4493->4638 4494->4493 4495->4493 4497 4063ab wsprintfW LoadLibraryW 4496->4497 4497->4410 4500 406411 4499->4500 4501 40641b GetProcAddress 4499->4501 4502 406389 3 API calls 4500->4502 4503 4032d6 4501->4503 4504 406417 4502->4504 4503->4417 4504->4501 4504->4503 4505->4420 4506->4422 4508 4062b3 5 API calls 4507->4508 4509 403245 4508->4509 4510 40324f 4509->4510 4511 4059d3 3 API calls 4509->4511 4510->4428 4512 403257 4511->4512 4513 4056ca 2 API calls 4512->4513 4514 40325d 4513->4514 4645 405c23 4514->4645 4649 405bf4 GetFileAttributesW CreateFileW 4517->4649 4519 402e2e 4536 402e3e 4519->4536 4650 40601f lstrcpynW 4519->4650 4521 402e54 4651 405a1f lstrlenW 4521->4651 4525 402e65 GetFileSize 4541 402f61 4525->4541 4544 402e7c 4525->4544 4527 402f6a 4529 402f9a GlobalAlloc 4527->4529 4527->4536 4668 403222 SetFilePointer 4527->4668 4528 40320c ReadFile 4528->4544 4667 403222 SetFilePointer 4529->4667 4531 402fcd 4533 402d8a 6 API calls 4531->4533 4533->4536 4534 402f83 4537 40320c ReadFile 4534->4537 4535 402fb5 4538 403027 36 API calls 4535->4538 4536->4435 4539 402f8e 4537->4539 4542 402fc1 4538->4542 4539->4529 4539->4536 4540 402d8a 6 API calls 4540->4544 4656 402d8a 4541->4656 4542->4536 4542->4542 4543 402ffe SetFilePointer 4542->4543 4543->4536 4544->4528 4544->4531 4544->4536 4544->4540 4544->4541 4546 4063f5 5 API calls 4545->4546 4547 40387c 4546->4547 4548 403882 4547->4548 4549 403894 4547->4549 4685 405f66 wsprintfW 4548->4685 4550 405eec 3 API calls 4549->4550 4551 4038c4 4550->4551 4552 4038e3 lstrcatW 4551->4552 4554 405eec 3 API calls 4551->4554 4555 403892 4552->4555 4554->4552 4669 403b3e 4555->4669 4558 405adb 18 API calls 4559 403915 4558->4559 4560 4039a9 4559->4560 4562 405eec 3 API calls 4559->4562 4561 405adb 18 API calls 4560->4561 4563 4039af 4561->4563 4564 403947 4562->4564 4565 4039bf LoadImageW 4563->4565 4568 406041 18 API calls 4563->4568 4564->4560 4571 403968 lstrlenW 4564->4571 4575 405a00 CharNextW 4564->4575 4566 403a65 4565->4566 4567 4039e6 RegisterClassW 4565->4567 4570 40140b 2 API calls 4566->4570 4569 403a1c SystemParametersInfoW CreateWindowExW 4567->4569 4600 403a6f 4567->4600 4568->4565 4569->4566 4574 403a6b 4570->4574 4572 403976 lstrcmpiW 4571->4572 4573 40399c 4571->4573 4572->4573 4576 403986 GetFileAttributesW 4572->4576 4577 4059d3 3 API calls 4573->4577 4580 403b3e 19 API calls 4574->4580 4574->4600 4578 403965 4575->4578 4579 403992 4576->4579 4581 4039a2 4577->4581 4578->4571 4579->4573 4582 405a1f 2 API calls 4579->4582 4583 403a7c 4580->4583 4686 40601f lstrcpynW 4581->4686 4582->4573 4585 403a88 ShowWindow 4583->4585 4586 403b0b 4583->4586 4588 406389 3 API calls 4585->4588 4678 405251 OleInitialize 4586->4678 4590 403aa0 4588->4590 4589 403b11 4591 403b15 4589->4591 4592 403b2d 4589->4592 4593 403aae GetClassInfoW 4590->4593 4595 406389 3 API calls 4590->4595 4599 40140b 2 API calls 4591->4599 4591->4600 4594 40140b 2 API calls 4592->4594 4596 403ac2 GetClassInfoW RegisterClassW 4593->4596 4597 403ad8 DialogBoxParamW 4593->4597 4594->4600 4595->4593 4596->4597 4598 40140b 2 API calls 4597->4598 4598->4600 4599->4600 4600->4491 4601->4441 4695 40601f lstrcpynW 4602->4695 4604 405aec 4696 405a7e CharNextW CharNextW 4604->4696 4607 40358d 4607->4491 4616 40601f lstrcpynW 4607->4616 4608 4062b3 5 API calls 4614 405b02 4608->4614 4609 405b33 lstrlenW 4610 405b3e 4609->4610 4609->4614 4612 4059d3 3 API calls 4610->4612 4611 406362 2 API calls 4611->4614 4613 405b43 GetFileAttributesW 4612->4613 4613->4607 4614->4607 4614->4609 4614->4611 4615 405a1f 2 API calls 4614->4615 4615->4609 4616->4472 4617->4480 4619 4037a6 4618->4619 4620 403798 CloseHandle 4618->4620 4702 4037d3 4619->4702 4620->4619 4626 4063f5 5 API calls 4625->4626 4627 4035ed lstrcatW 4626->4627 4627->4465 4627->4466 4629 40362f 4628->4629 4630 40569e GetLastError 4628->4630 4629->4479 4630->4629 4631 4056ad SetFileSecurityW 4630->4631 4631->4629 4632 4056c3 GetLastError 4631->4632 4632->4629 4634 4056da 4633->4634 4635 4056de GetLastError 4633->4635 4634->4479 4635->4634 4636->4481 4637->4493 4639 405ee1 4638->4639 4640 405ed4 4638->4640 4639->4493 4755 405d4e lstrcpyW 4640->4755 4643 401389 2 API calls 4642->4643 4644 401420 4643->4644 4644->4450 4646 405c30 GetTickCount GetTempFileNameW 4645->4646 4647 403268 4646->4647 4648 405c66 4646->4648 4647->4428 4648->4646 4648->4647 4649->4519 4650->4521 4652 405a2d 4651->4652 4653 405a33 CharPrevW 4652->4653 4654 402e5a 4652->4654 4653->4652 4653->4654 4655 40601f lstrcpynW 4654->4655 4655->4525 4657 402d93 4656->4657 4658 402dab 4656->4658 4659 402da3 4657->4659 4660 402d9c DestroyWindow 4657->4660 4661 402db3 4658->4661 4662 402dbb GetTickCount 4658->4662 4659->4527 4660->4659 4665 406431 2 API calls 4661->4665 4663 402dc9 CreateDialogParamW ShowWindow 4662->4663 4664 402dec 4662->4664 4663->4664 4664->4527 4666 402db9 4665->4666 4666->4527 4667->4535 4668->4534 4670 403b52 4669->4670 4687 405f66 wsprintfW 4670->4687 4672 403bc3 4673 406041 18 API calls 4672->4673 4674 403bcf SetWindowTextW 4673->4674 4675 4038f3 4674->4675 4676 403beb 4674->4676 4675->4558 4676->4675 4677 406041 18 API calls 4676->4677 4677->4676 4688 40412f 4678->4688 4680 405274 4683 40529b 4680->4683 4691 401389 4680->4691 4681 40412f SendMessageW 4682 4052ad OleUninitialize 4681->4682 4682->4589 4683->4681 4685->4555 4686->4560 4687->4672 4689 404147 4688->4689 4690 404138 SendMessageW 4688->4690 4689->4680 4690->4689 4693 401390 4691->4693 4692 4013fe 4692->4680 4693->4692 4694 4013cb MulDiv SendMessageW 4693->4694 4694->4693 4695->4604 4697 405a9b 4696->4697 4701 405aad 4696->4701 4699 405aa8 CharNextW 4697->4699 4697->4701 4698 405ad1 4698->4607 4698->4608 4699->4698 4700 405a00 CharNextW 4700->4701 4701->4698 4701->4700 4703 4037e1 4702->4703 4704 4037ab 4703->4704 4705 4037e6 FreeLibrary GlobalFree 4703->4705 4706 405810 4704->4706 4705->4704 4705->4705 4707 405adb 18 API calls 4706->4707 4708 405830 4707->4708 4709 405838 DeleteFileW 4708->4709 4710 40584f 4708->4710 4711 4035c0 OleUninitialize 4709->4711 4713 40597a 4710->4713 4745 40601f lstrcpynW 4710->4745 4711->4447 4711->4448 4713->4711 4719 406362 2 API calls 4713->4719 4714 405875 4715 405888 4714->4715 4716 40587b lstrcatW 4714->4716 4718 405a1f 2 API calls 4715->4718 4717 40588e 4716->4717 4720 40589e lstrcatW 4717->4720 4722 4058a9 lstrlenW FindFirstFileW 4717->4722 4718->4717 4721 405994 4719->4721 4720->4722 4721->4711 4723 405998 4721->4723 4724 40596f 4722->4724 4743 4058cb 4722->4743 4725 4059d3 3 API calls 4723->4725 4724->4713 4726 40599e 4725->4726 4728 4057c8 5 API calls 4726->4728 4727 405952 FindNextFileW 4730 405968 FindClose 4727->4730 4727->4743 4731 4059aa 4728->4731 4730->4724 4732 4059c4 4731->4732 4733 4059ae 4731->4733 4735 40517e 25 API calls 4732->4735 4733->4711 4736 40517e 25 API calls 4733->4736 4735->4711 4738 4059bb 4736->4738 4737 405810 62 API calls 4737->4743 4739 405ec0 38 API calls 4738->4739 4741 4059c2 4739->4741 4740 40517e 25 API calls 4740->4727 4741->4711 4742 40517e 25 API calls 4742->4743 4743->4727 4743->4737 4743->4740 4743->4742 4744 405ec0 38 API calls 4743->4744 4746 40601f lstrcpynW 4743->4746 4747 4057c8 4743->4747 4744->4743 4745->4714 4746->4743 4748 405bcf 2 API calls 4747->4748 4749 4057d4 4748->4749 4750 4057e3 RemoveDirectoryW 4749->4750 4751 4057eb DeleteFileW 4749->4751 4752 4057f5 4749->4752 4753 4057f1 4750->4753 4751->4753 4752->4743 4753->4752 4754 405801 SetFileAttributesW 4753->4754 4754->4752 4756 405d76 4755->4756 4757 405d9c GetShortPathNameW 4755->4757 4782 405bf4 GetFileAttributesW CreateFileW 4756->4782 4759 405db1 4757->4759 4760 405ebb 4757->4760 4759->4760 4762 405db9 wsprintfA 4759->4762 4760->4639 4761 405d80 CloseHandle GetShortPathNameW 4761->4760 4764 405d94 4761->4764 4763 406041 18 API calls 4762->4763 4765 405de1 4763->4765 4764->4757 4764->4760 4783 405bf4 GetFileAttributesW CreateFileW 4765->4783 4767 405dee 4767->4760 4768 405dfd GetFileSize GlobalAlloc 4767->4768 4769 405eb4 CloseHandle 4768->4769 4770 405e1f 4768->4770 4769->4760 4771 405c77 ReadFile 4770->4771 4772 405e27 4771->4772 4772->4769 4784 405b59 lstrlenA 4772->4784 4775 405e52 4777 405b59 4 API calls 4775->4777 4776 405e3e lstrcpyA 4778 405e60 4776->4778 4777->4778 4779 405e97 SetFilePointer 4778->4779 4780 405ca6 WriteFile 4779->4780 4781 405ead GlobalFree 4780->4781 4781->4769 4782->4761 4783->4767 4785 405b9a lstrlenA 4784->4785 4786 405b73 lstrcmpiA 4785->4786 4788 405ba2 4785->4788 4787 405b91 CharNextA 4786->4787 4786->4788 4787->4785 4788->4775 4788->4776 4789 4021ea 4790 402bbf 18 API calls 4789->4790 4791 4021f0 4790->4791 4792 402bbf 18 API calls 4791->4792 4793 4021f9 4792->4793 4794 402bbf 18 API calls 4793->4794 4795 402202 4794->4795 4796 406362 2 API calls 4795->4796 4797 40220b 4796->4797 4798 40221c lstrlenW lstrlenW 4797->4798 4803 40220f 4797->4803 4800 40517e 25 API calls 4798->4800 4799 40517e 25 API calls 4802 402217 4799->4802 4801 40225a SHFileOperationW 4800->4801 4801->4802 4801->4803 4803->4799 4803->4802 5292 40156b 5293 401584 5292->5293 5294 40157b ShowWindow 5292->5294 5295 401592 ShowWindow 5293->5295 5296 402a4c 5293->5296 5294->5293 5295->5296 5304 40226e 5305 402288 5304->5305 5306 402275 5304->5306 5307 406041 18 API calls 5306->5307 5308 402282 5307->5308 5309 405764 MessageBoxIndirectW 5308->5309 5309->5305 5310 4014f1 SetForegroundWindow 5311 402a4c 5310->5311 5312 4050f2 5313 405102 5312->5313 5314 405116 5312->5314 5315 40515f 5313->5315 5316 405108 5313->5316 5317 40511e IsWindowVisible 5314->5317 5323 405135 5314->5323 5318 405164 CallWindowProcW 5315->5318 5319 40412f SendMessageW 5316->5319 5317->5315 5320 40512b 5317->5320 5322 405112 5318->5322 5319->5322 5325 404a48 SendMessageW 5320->5325 5323->5318 5330 404ac8 5323->5330 5326 404aa7 SendMessageW 5325->5326 5327 404a6b GetMessagePos ScreenToClient SendMessageW 5325->5327 5329 404a9f 5326->5329 5328 404aa4 5327->5328 5327->5329 5328->5326 5329->5323 5339 40601f lstrcpynW 5330->5339 5332 404adb 5340 405f66 wsprintfW 5332->5340 5334 404ae5 5335 40140b 2 API calls 5334->5335 5336 404aee 5335->5336 5341 40601f lstrcpynW 5336->5341 5338 404af5 5338->5315 5339->5332 5340->5334 5341->5338 5342 401673 5343 402bbf 18 API calls 5342->5343 5344 40167a 5343->5344 5345 402bbf 18 API calls 5344->5345 5346 401683 5345->5346 5347 402bbf 18 API calls 5346->5347 5348 40168c MoveFileW 5347->5348 5349 40169f 5348->5349 5355 401698 5348->5355 5350 406362 2 API calls 5349->5350 5353 4021e1 5349->5353 5352 4016ae 5350->5352 5351 401423 25 API calls 5351->5353 5352->5353 5354 405ec0 38 API calls 5352->5354 5354->5355 5355->5351 5356 100016b6 5357 100016e5 5356->5357 5358 10001b18 22 API calls 5357->5358 5359 100016ec 5358->5359 5360 100016f3 5359->5360 5361 100016ff 5359->5361 5362 10001272 2 API calls 5360->5362 5363 10001726 5361->5363 5364 10001709 5361->5364 5365 100016fd 5362->5365 5367 10001750 5363->5367 5368 1000172c 5363->5368 5366 1000153d 3 API calls 5364->5366 5370 1000170e 5366->5370 5369 1000153d 3 API calls 5367->5369 5371 100015b4 3 API calls 5368->5371 5369->5365 5372 100015b4 3 API calls 5370->5372 5373 10001731 5371->5373 5374 10001714 5372->5374 5375 10001272 2 API calls 5373->5375 5377 10001272 2 API calls 5374->5377 5376 10001737 GlobalFree 5375->5376 5376->5365 5378 1000174b GlobalFree 5376->5378 5379 1000171a GlobalFree 5377->5379 5378->5365 5379->5365 5380 4041f7 lstrcpynW lstrlenW 5381 10002238 5382 10002296 5381->5382 5383 100022cc 5381->5383 5382->5383 5384 100022a8 GlobalAlloc 5382->5384 5384->5382 5385 404afa GetDlgItem GetDlgItem 5386 404b4c 7 API calls 5385->5386 5392 404d65 5385->5392 5387 404be2 SendMessageW 5386->5387 5388 404bef DeleteObject 5386->5388 5387->5388 5389 404bf8 5388->5389 5390 404c2f 5389->5390 5391 406041 18 API calls 5389->5391 5393 4040e3 19 API calls 5390->5393 5396 404c11 SendMessageW SendMessageW 5391->5396 5395 404e49 5392->5395 5402 404a48 5 API calls 5392->5402 5418 404dd6 5392->5418 5399 404c43 5393->5399 5394 404ef5 5397 404f07 5394->5397 5398 404eff SendMessageW 5394->5398 5395->5394 5404 404ea2 SendMessageW 5395->5404 5428 404d58 5395->5428 5396->5389 5406 404f20 5397->5406 5407 404f19 ImageList_Destroy 5397->5407 5415 404f30 5397->5415 5398->5397 5403 4040e3 19 API calls 5399->5403 5400 40414a 8 API calls 5405 4050eb 5400->5405 5401 404e3b SendMessageW 5401->5395 5402->5418 5419 404c51 5403->5419 5409 404eb7 SendMessageW 5404->5409 5404->5428 5410 404f29 GlobalFree 5406->5410 5406->5415 5407->5406 5408 40509f 5413 4050b1 ShowWindow GetDlgItem ShowWindow 5408->5413 5408->5428 5412 404eca 5409->5412 5410->5415 5411 404d26 GetWindowLongW SetWindowLongW 5414 404d3f 5411->5414 5420 404edb SendMessageW 5412->5420 5413->5428 5416 404d45 ShowWindow 5414->5416 5417 404d5d 5414->5417 5415->5408 5427 404ac8 4 API calls 5415->5427 5432 404f6b 5415->5432 5436 404118 SendMessageW 5416->5436 5437 404118 SendMessageW 5417->5437 5418->5395 5418->5401 5419->5411 5421 404d20 5419->5421 5424 404ca1 SendMessageW 5419->5424 5425 404cdd SendMessageW 5419->5425 5426 404cee SendMessageW 5419->5426 5420->5394 5421->5411 5421->5414 5424->5419 5425->5419 5426->5419 5427->5432 5428->5400 5429 405075 InvalidateRect 5429->5408 5430 40508b 5429->5430 5438 404a03 5430->5438 5431 404f99 SendMessageW 5435 404faf 5431->5435 5432->5431 5432->5435 5434 405023 SendMessageW SendMessageW 5434->5435 5435->5429 5435->5434 5436->5428 5437->5392 5441 40493a 5438->5441 5440 404a18 5440->5408 5442 404953 5441->5442 5443 406041 18 API calls 5442->5443 5444 4049b7 5443->5444 5445 406041 18 API calls 5444->5445 5446 4049c2 5445->5446 5447 406041 18 API calls 5446->5447 5448 4049d8 lstrlenW wsprintfW SetDlgItemTextW 5447->5448 5448->5440 5449 401cfa GetDlgItem GetClientRect 5450 402bbf 18 API calls 5449->5450 5451 401d2c LoadImageW SendMessageW 5450->5451 5452 401d4a DeleteObject 5451->5452 5453 402a4c 5451->5453 5452->5453 4961 40237b 4962 402381 4961->4962 4963 402bbf 18 API calls 4962->4963 4964 402393 4963->4964 4965 402bbf 18 API calls 4964->4965 4966 40239d RegCreateKeyExW 4965->4966 4967 40281e 4966->4967 4968 4023c7 4966->4968 4969 4023e2 4968->4969 4970 402bbf 18 API calls 4968->4970 4971 4023ee 4969->4971 4973 402ba2 18 API calls 4969->4973 4972 4023d8 lstrlenW 4970->4972 4974 402409 RegSetValueExW 4971->4974 4976 403027 36 API calls 4971->4976 4972->4969 4973->4971 4975 40241f RegCloseKey 4974->4975 4975->4967 4976->4974 4978 4027fb 4979 402bbf 18 API calls 4978->4979 4980 402802 FindFirstFileW 4979->4980 4981 40282a 4980->4981 4984 402815 4980->4984 4982 402833 4981->4982 4986 405f66 wsprintfW 4981->4986 4987 40601f lstrcpynW 4982->4987 4986->4982 4987->4984 5454 1000103d 5455 1000101b 5 API calls 5454->5455 5456 10001056 5455->5456 5457 40457e 5458 4045aa 5457->5458 5459 4045bb 5457->5459 5518 405748 GetDlgItemTextW 5458->5518 5461 4045c7 GetDlgItem 5459->5461 5467 404626 5459->5467 5463 4045db 5461->5463 5462 4045b5 5465 4062b3 5 API calls 5462->5465 5466 4045ef SetWindowTextW 5463->5466 5470 405a7e 4 API calls 5463->5470 5464 40470a 5516 4048b9 5464->5516 5520 405748 GetDlgItemTextW 5464->5520 5465->5459 5471 4040e3 19 API calls 5466->5471 5467->5464 5472 406041 18 API calls 5467->5472 5467->5516 5469 40414a 8 API calls 5474 4048cd 5469->5474 5475 4045e5 5470->5475 5476 40460b 5471->5476 5477 40469a SHBrowseForFolderW 5472->5477 5473 40473a 5478 405adb 18 API calls 5473->5478 5475->5466 5484 4059d3 3 API calls 5475->5484 5479 4040e3 19 API calls 5476->5479 5477->5464 5480 4046b2 CoTaskMemFree 5477->5480 5481 404740 5478->5481 5482 404619 5479->5482 5483 4059d3 3 API calls 5480->5483 5521 40601f lstrcpynW 5481->5521 5519 404118 SendMessageW 5482->5519 5486 4046bf 5483->5486 5484->5466 5489 4046f6 SetDlgItemTextW 5486->5489 5493 406041 18 API calls 5486->5493 5488 40461f 5491 4063f5 5 API calls 5488->5491 5489->5464 5490 404757 5492 4063f5 5 API calls 5490->5492 5491->5467 5500 40475e 5492->5500 5494 4046de lstrcmpiW 5493->5494 5494->5489 5497 4046ef lstrcatW 5494->5497 5495 40479f 5522 40601f lstrcpynW 5495->5522 5497->5489 5498 4047a6 5499 405a7e 4 API calls 5498->5499 5501 4047ac GetDiskFreeSpaceW 5499->5501 5500->5495 5504 405a1f 2 API calls 5500->5504 5505 4047f7 5500->5505 5503 4047d0 MulDiv 5501->5503 5501->5505 5503->5505 5504->5500 5506 404a03 21 API calls 5505->5506 5507 404868 5505->5507 5509 404855 5506->5509 5508 40488b 5507->5508 5510 40140b 2 API calls 5507->5510 5523 404105 KiUserCallbackDispatcher 5508->5523 5512 40486a SetDlgItemTextW 5509->5512 5513 40485a 5509->5513 5510->5508 5512->5507 5515 40493a 21 API calls 5513->5515 5514 4048a7 5514->5516 5524 404513 5514->5524 5515->5507 5516->5469 5518->5462 5519->5488 5520->5473 5521->5490 5522->5498 5523->5514 5525 404521 5524->5525 5526 404526 SendMessageW 5524->5526 5525->5526 5526->5516 5527 4014ff 5528 401507 5527->5528 5529 40151a 5527->5529 5530 402ba2 18 API calls 5528->5530 5530->5529 5531 401000 5532 401037 BeginPaint GetClientRect 5531->5532 5533 40100c DefWindowProcW 5531->5533 5535 4010f3 5532->5535 5536 401179 5533->5536 5537 401073 CreateBrushIndirect FillRect DeleteObject 5535->5537 5538 4010fc 5535->5538 5537->5535 5539 401102 CreateFontIndirectW 5538->5539 5540 401167 EndPaint 5538->5540 5539->5540 5541 401112 6 API calls 5539->5541 5540->5536 5541->5540 5542 404280 5543 404298 5542->5543 5547 4043b2 5542->5547 5548 4040e3 19 API calls 5543->5548 5544 40441c 5545 4044ee 5544->5545 5546 404426 GetDlgItem 5544->5546 5553 40414a 8 API calls 5545->5553 5549 404440 5546->5549 5550 4044af 5546->5550 5547->5544 5547->5545 5551 4043ed GetDlgItem SendMessageW 5547->5551 5552 4042ff 5548->5552 5549->5550 5558 404466 6 API calls 5549->5558 5550->5545 5554 4044c1 5550->5554 5573 404105 KiUserCallbackDispatcher 5551->5573 5556 4040e3 19 API calls 5552->5556 5557 4044e9 5553->5557 5559 4044d7 5554->5559 5560 4044c7 SendMessageW 5554->5560 5562 40430c CheckDlgButton 5556->5562 5558->5550 5559->5557 5563 4044dd SendMessageW 5559->5563 5560->5559 5561 404417 5564 404513 SendMessageW 5561->5564 5571 404105 KiUserCallbackDispatcher 5562->5571 5563->5557 5564->5544 5566 40432a GetDlgItem 5572 404118 SendMessageW 5566->5572 5568 404340 SendMessageW 5569 404366 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5568->5569 5570 40435d GetSysColor 5568->5570 5569->5557 5570->5569 5571->5566 5572->5568 5573->5561 5581 401904 5582 40193b 5581->5582 5583 402bbf 18 API calls 5582->5583 5584 401940 5583->5584 5585 405810 69 API calls 5584->5585 5586 401949 5585->5586 5587 402d04 5588 402d16 SetTimer 5587->5588 5589 402d2f 5587->5589 5588->5589 5590 402d84 5589->5590 5591 402d49 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5589->5591 5591->5590 4306 402786 4307 40278d 4306->4307 4309 4029f7 4306->4309 4308 402ba2 18 API calls 4307->4308 4310 402798 4308->4310 4311 40279f SetFilePointer 4310->4311 4311->4309 4312 4027af 4311->4312 4314 405f66 wsprintfW 4312->4314 4314->4309 4402 100027c7 4403 10002817 4402->4403 4404 100027d7 VirtualProtect 4402->4404 4404->4403 5592 401907 5593 402bbf 18 API calls 5592->5593 5594 40190e 5593->5594 5595 405764 MessageBoxIndirectW 5594->5595 5596 401917 5595->5596 5597 401e08 5598 402bbf 18 API calls 5597->5598 5599 401e0e 5598->5599 5600 402bbf 18 API calls 5599->5600 5601 401e17 5600->5601 5602 402bbf 18 API calls 5601->5602 5603 401e20 5602->5603 5604 402bbf 18 API calls 5603->5604 5605 401e29 5604->5605 5606 401423 25 API calls 5605->5606 5607 401e30 ShellExecuteW 5606->5607 5608 401e61 5607->5608 4804 403c0b 4805 403c23 4804->4805 4806 403d5e 4804->4806 4805->4806 4807 403c2f 4805->4807 4808 403daf 4806->4808 4809 403d6f GetDlgItem GetDlgItem 4806->4809 4810 403c3a SetWindowPos 4807->4810 4811 403c4d 4807->4811 4813 403e09 4808->4813 4821 401389 2 API calls 4808->4821 4812 4040e3 19 API calls 4809->4812 4810->4811 4814 403c52 ShowWindow 4811->4814 4815 403c6a 4811->4815 4816 403d99 SetClassLongW 4812->4816 4817 40412f SendMessageW 4813->4817 4834 403d59 4813->4834 4814->4815 4818 403c72 DestroyWindow 4815->4818 4819 403c8c 4815->4819 4820 40140b 2 API calls 4816->4820 4848 403e1b 4817->4848 4873 40406c 4818->4873 4822 403c91 SetWindowLongW 4819->4822 4823 403ca2 4819->4823 4820->4808 4824 403de1 4821->4824 4822->4834 4827 403d4b 4823->4827 4828 403cae GetDlgItem 4823->4828 4824->4813 4829 403de5 SendMessageW 4824->4829 4825 40140b 2 API calls 4825->4848 4826 40406e DestroyWindow EndDialog 4826->4873 4883 40414a 4827->4883 4831 403cc1 SendMessageW IsWindowEnabled 4828->4831 4832 403cde 4828->4832 4829->4834 4830 40409d ShowWindow 4830->4834 4831->4832 4831->4834 4836 403ce3 4832->4836 4837 403ceb 4832->4837 4838 403d32 SendMessageW 4832->4838 4839 403cfe 4832->4839 4835 406041 18 API calls 4835->4848 4880 4040bc 4836->4880 4837->4836 4837->4838 4838->4827 4841 403d06 4839->4841 4842 403d1b 4839->4842 4844 40140b 2 API calls 4841->4844 4845 40140b 2 API calls 4842->4845 4843 403d19 4843->4827 4844->4836 4847 403d22 4845->4847 4846 4040e3 19 API calls 4846->4848 4847->4827 4847->4836 4848->4825 4848->4826 4848->4834 4848->4835 4848->4846 4864 403fae DestroyWindow 4848->4864 4874 4040e3 4848->4874 4850 403e96 GetDlgItem 4851 403eb3 ShowWindow KiUserCallbackDispatcher 4850->4851 4852 403eab 4850->4852 4877 404105 KiUserCallbackDispatcher 4851->4877 4852->4851 4854 403edd EnableWindow 4857 403ef1 4854->4857 4855 403ef6 GetSystemMenu EnableMenuItem SendMessageW 4856 403f26 SendMessageW 4855->4856 4855->4857 4856->4857 4857->4855 4878 404118 SendMessageW 4857->4878 4879 40601f lstrcpynW 4857->4879 4860 403f54 lstrlenW 4861 406041 18 API calls 4860->4861 4862 403f6a SetWindowTextW 4861->4862 4863 401389 2 API calls 4862->4863 4863->4848 4865 403fc8 CreateDialogParamW 4864->4865 4864->4873 4866 403ffb 4865->4866 4865->4873 4867 4040e3 19 API calls 4866->4867 4868 404006 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4867->4868 4869 401389 2 API calls 4868->4869 4870 40404c 4869->4870 4870->4834 4871 404054 ShowWindow 4870->4871 4872 40412f SendMessageW 4871->4872 4872->4873 4873->4830 4873->4834 4875 406041 18 API calls 4874->4875 4876 4040ee SetDlgItemTextW 4875->4876 4876->4850 4877->4854 4878->4857 4879->4860 4881 4040c3 4880->4881 4882 4040c9 SendMessageW 4880->4882 4881->4882 4882->4843 4884 404162 GetWindowLongW 4883->4884 4894 4041eb 4883->4894 4885 404173 4884->4885 4884->4894 4886 404182 GetSysColor 4885->4886 4887 404185 4885->4887 4886->4887 4888 404195 SetBkMode 4887->4888 4889 40418b SetTextColor 4887->4889 4890 4041b3 4888->4890 4891 4041ad GetSysColor 4888->4891 4889->4888 4892 4041c4 4890->4892 4893 4041ba SetBkColor 4890->4893 4891->4890 4892->4894 4895 4041d7 DeleteObject 4892->4895 4896 4041de CreateBrushIndirect 4892->4896 4893->4892 4894->4834 4895->4896 4896->4894 5614 1000164f 5615 10001516 GlobalFree 5614->5615 5617 10001667 5615->5617 5616 100016ad GlobalFree 5617->5616 5618 10001682 5617->5618 5619 10001699 VirtualFree 5617->5619 5618->5616 5619->5616 5620 401491 5621 40517e 25 API calls 5620->5621 5622 401498 5621->5622 5623 401a15 5624 402bbf 18 API calls 5623->5624 5625 401a1e ExpandEnvironmentStringsW 5624->5625 5626 401a32 5625->5626 5628 401a45 5625->5628 5627 401a37 lstrcmpW 5626->5627 5626->5628 5627->5628 5629 402515 5630 402bbf 18 API calls 5629->5630 5631 40251c 5630->5631 5634 405bf4 GetFileAttributesW CreateFileW 5631->5634 5633 402528 5634->5633 5635 402095 5636 402bbf 18 API calls 5635->5636 5637 40209c 5636->5637 5638 402bbf 18 API calls 5637->5638 5639 4020a6 5638->5639 5640 402bbf 18 API calls 5639->5640 5641 4020b0 5640->5641 5642 402bbf 18 API calls 5641->5642 5643 4020ba 5642->5643 5644 402bbf 18 API calls 5643->5644 5645 4020c4 5644->5645 5646 402103 CoCreateInstance 5645->5646 5647 402bbf 18 API calls 5645->5647 5650 402122 5646->5650 5647->5646 5648 401423 25 API calls 5649 4021e1 5648->5649 5650->5648 5650->5649 5651 401b16 5652 402bbf 18 API calls 5651->5652 5653 401b1d 5652->5653 5654 402ba2 18 API calls 5653->5654 5655 401b26 wsprintfW 5654->5655 5656 402a4c 5655->5656 5657 10001058 5659 10001074 5657->5659 5658 100010dd 5659->5658 5660 10001516 GlobalFree 5659->5660 5661 10001092 5659->5661 5660->5661 5662 10001516 GlobalFree 5661->5662 5663 100010a2 5662->5663 5664 100010b2 5663->5664 5665 100010a9 GlobalSize 5663->5665 5666 100010b6 GlobalAlloc 5664->5666 5667 100010c7 5664->5667 5665->5664 5668 1000153d 3 API calls 5666->5668 5669 100010d2 GlobalFree 5667->5669 5668->5667 5669->5658 4988 40159b 4989 402bbf 18 API calls 4988->4989 4990 4015a2 SetFileAttributesW 4989->4990 4991 4015b4 4990->4991 5000 40229d 5001 4022a5 5000->5001 5006 4022ab 5000->5006 5002 402bbf 18 API calls 5001->5002 5002->5006 5003 402bbf 18 API calls 5004 4022b9 5003->5004 5005 4022c7 5004->5005 5007 402bbf 18 API calls 5004->5007 5008 402bbf 18 API calls 5005->5008 5006->5003 5006->5004 5007->5005 5009 4022d0 WritePrivateProfileStringW 5008->5009 5684 401f1d 5685 402bbf 18 API calls 5684->5685 5686 401f24 5685->5686 5687 4063f5 5 API calls 5686->5687 5688 401f33 5687->5688 5689 401fb7 5688->5689 5690 401f4f GlobalAlloc 5688->5690 5690->5689 5691 401f63 5690->5691 5692 4063f5 5 API calls 5691->5692 5693 401f6a 5692->5693 5694 4063f5 5 API calls 5693->5694 5695 401f74 5694->5695 5695->5689 5699 405f66 wsprintfW 5695->5699 5697 401fa9 5700 405f66 wsprintfW 5697->5700 5699->5697 5700->5689 5701 40149e 5702 402288 5701->5702 5703 4014ac PostQuitMessage 5701->5703 5703->5702 5704 40249e 5705 402cc9 19 API calls 5704->5705 5706 4024a8 5705->5706 5707 402ba2 18 API calls 5706->5707 5708 4024b1 5707->5708 5709 4024d5 RegEnumValueW 5708->5709 5710 4024c9 RegEnumKeyW 5708->5710 5712 40281e 5708->5712 5711 4024ee RegCloseKey 5709->5711 5709->5712 5710->5711 5711->5712 5060 40231f 5061 402324 5060->5061 5062 40234f 5060->5062 5083 402cc9 5061->5083 5064 402bbf 18 API calls 5062->5064 5066 402356 5064->5066 5065 40232b 5067 402335 5065->5067 5071 40236c 5065->5071 5072 402bff RegOpenKeyExW 5066->5072 5068 402bbf 18 API calls 5067->5068 5069 40233c RegDeleteValueW RegCloseKey 5068->5069 5069->5071 5073 402c93 5072->5073 5076 402c2a 5072->5076 5073->5071 5074 402c50 RegEnumKeyW 5075 402c62 RegCloseKey 5074->5075 5074->5076 5078 4063f5 5 API calls 5075->5078 5076->5074 5076->5075 5077 402c87 RegCloseKey 5076->5077 5079 402bff 5 API calls 5076->5079 5081 402c76 5077->5081 5080 402c72 5078->5080 5079->5076 5080->5081 5082 402ca2 RegDeleteKeyW 5080->5082 5081->5073 5082->5081 5084 402bbf 18 API calls 5083->5084 5085 402ce2 5084->5085 5086 402cf0 RegOpenKeyExW 5085->5086 5086->5065 5721 100010e1 5722 10001111 5721->5722 5723 100011d8 GlobalFree 5722->5723 5724 100012ba 2 API calls 5722->5724 5725 100011d3 5722->5725 5726 10001272 2 API calls 5722->5726 5727 10001164 GlobalAlloc 5722->5727 5728 100011f8 GlobalFree 5722->5728 5729 100011c4 GlobalFree 5722->5729 5730 100012e1 lstrcpyW 5722->5730 5724->5722 5725->5723 5726->5729 5727->5722 5728->5722 5729->5722 5730->5722 5731 401ca3 5732 402ba2 18 API calls 5731->5732 5733 401ca9 IsWindow 5732->5733 5734 401a05 5733->5734 5735 403826 5736 403831 5735->5736 5737 403838 GlobalAlloc 5736->5737 5738 403835 5736->5738 5737->5738 5739 402a27 SendMessageW 5740 402a41 InvalidateRect 5739->5740 5741 402a4c 5739->5741 5740->5741 5742 40242a 5743 402cc9 19 API calls 5742->5743 5744 402434 5743->5744 5745 402bbf 18 API calls 5744->5745 5746 40243d 5745->5746 5747 402448 RegQueryValueExW 5746->5747 5750 40281e 5746->5750 5748 40246e RegCloseKey 5747->5748 5749 402468 5747->5749 5748->5750 5749->5748 5753 405f66 wsprintfW 5749->5753 5753->5748 4897 40172d 4898 402bbf 18 API calls 4897->4898 4899 401734 SearchPathW 4898->4899 4900 40174f 4899->4900 5761 404231 lstrlenW 5762 404250 5761->5762 5763 404252 WideCharToMultiByte 5761->5763 5762->5763 5764 4027b4 5765 4027ba 5764->5765 5766 4027c2 FindClose 5765->5766 5767 402a4c 5765->5767 5766->5767 4907 401b37 4908 401b44 4907->4908 4909 401b88 4907->4909 4910 401bcd 4908->4910 4915 401b5b 4908->4915 4911 401bb2 GlobalAlloc 4909->4911 4912 401b8d 4909->4912 4914 406041 18 API calls 4910->4914 4919 402288 4910->4919 4913 406041 18 API calls 4911->4913 4912->4919 4928 40601f lstrcpynW 4912->4928 4913->4910 4917 402282 4914->4917 4926 40601f lstrcpynW 4915->4926 4921 405764 MessageBoxIndirectW 4917->4921 4918 401b9f GlobalFree 4918->4919 4921->4919 4922 401b6a 4927 40601f lstrcpynW 4922->4927 4924 401b79 4929 40601f lstrcpynW 4924->4929 4926->4922 4927->4924 4928->4918 4929->4919 5768 404537 5769 404547 5768->5769 5770 40456d 5768->5770 5771 4040e3 19 API calls 5769->5771 5772 40414a 8 API calls 5770->5772 5773 404554 SetDlgItemTextW 5771->5773 5774 404579 5772->5774 5773->5770 5775 402537 5776 402562 5775->5776 5777 40254b 5775->5777 5779 402596 5776->5779 5780 402567 5776->5780 5778 402ba2 18 API calls 5777->5778 5787 402552 5778->5787 5782 402bbf 18 API calls 5779->5782 5781 402bbf 18 API calls 5780->5781 5783 40256e WideCharToMultiByte lstrlenA 5781->5783 5784 40259d lstrlenW 5782->5784 5783->5787 5784->5787 5785 4025e0 5786 4025ca 5786->5785 5788 405ca6 WriteFile 5786->5788 5787->5785 5787->5786 5789 405cd5 5 API calls 5787->5789 5788->5785 5789->5786 5790 4014b8 5791 4014be 5790->5791 5792 401389 2 API calls 5791->5792 5793 4014c6 5792->5793 4941 4015b9 4942 402bbf 18 API calls 4941->4942 4943 4015c0 4942->4943 4944 405a7e 4 API calls 4943->4944 4957 4015c9 4944->4957 4945 401629 4947 40165b 4945->4947 4948 40162e 4945->4948 4946 405a00 CharNextW 4946->4957 4951 401423 25 API calls 4947->4951 4949 401423 25 API calls 4948->4949 4950 401635 4949->4950 4960 40601f lstrcpynW 4950->4960 4956 401653 4951->4956 4953 4056ca 2 API calls 4953->4957 4954 4056e7 5 API calls 4954->4957 4955 401642 SetCurrentDirectoryW 4955->4956 4957->4945 4957->4946 4957->4953 4957->4954 4958 40160f GetFileAttributesW 4957->4958 4959 40564d 4 API calls 4957->4959 4958->4957 4959->4957 4960->4955 5794 40293b 5795 402ba2 18 API calls 5794->5795 5796 402941 5795->5796 5797 402964 5796->5797 5798 40297d 5796->5798 5807 40281e 5796->5807 5799 402969 5797->5799 5800 40297a 5797->5800 5801 402993 5798->5801 5802 402987 5798->5802 5808 40601f lstrcpynW 5799->5808 5809 405f66 wsprintfW 5800->5809 5804 406041 18 API calls 5801->5804 5803 402ba2 18 API calls 5802->5803 5803->5807 5804->5807 5808->5807 5809->5807 5010 4052bd 5011 405467 5010->5011 5012 4052de GetDlgItem GetDlgItem GetDlgItem 5010->5012 5014 405470 GetDlgItem CreateThread FindCloseChangeNotification 5011->5014 5017 405498 5011->5017 5056 404118 SendMessageW 5012->5056 5014->5017 5059 405251 5 API calls 5014->5059 5015 40534e 5022 405355 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5015->5022 5016 4054c3 5020 405523 5016->5020 5021 4054cf 5016->5021 5017->5016 5018 4054e8 5017->5018 5019 4054af ShowWindow ShowWindow 5017->5019 5026 40414a 8 API calls 5018->5026 5058 404118 SendMessageW 5019->5058 5020->5018 5029 405531 SendMessageW 5020->5029 5024 4054d7 5021->5024 5025 4054fd ShowWindow 5021->5025 5027 4053c3 5022->5027 5028 4053a7 SendMessageW SendMessageW 5022->5028 5030 4040bc SendMessageW 5024->5030 5032 40551d 5025->5032 5033 40550f 5025->5033 5031 4054f6 5026->5031 5036 4053d6 5027->5036 5037 4053c8 SendMessageW 5027->5037 5028->5027 5029->5031 5038 40554a CreatePopupMenu 5029->5038 5030->5018 5035 4040bc SendMessageW 5032->5035 5034 40517e 25 API calls 5033->5034 5034->5032 5035->5020 5040 4040e3 19 API calls 5036->5040 5037->5036 5039 406041 18 API calls 5038->5039 5041 40555a AppendMenuW 5039->5041 5042 4053e6 5040->5042 5043 405577 GetWindowRect 5041->5043 5044 40558a TrackPopupMenu 5041->5044 5045 405423 GetDlgItem SendMessageW 5042->5045 5046 4053ef ShowWindow 5042->5046 5043->5044 5044->5031 5048 4055a5 5044->5048 5045->5031 5047 40544a SendMessageW SendMessageW 5045->5047 5049 405412 5046->5049 5050 405405 ShowWindow 5046->5050 5047->5031 5051 4055c1 SendMessageW 5048->5051 5057 404118 SendMessageW 5049->5057 5050->5049 5051->5051 5052 4055de OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5051->5052 5054 405603 SendMessageW 5052->5054 5054->5054 5055 40562c GlobalUnlock SetClipboardData CloseClipboard 5054->5055 5055->5031 5056->5015 5057->5045 5058->5016 5810 10002a7f 5811 10002a97 5810->5811 5812 1000158f 2 API calls 5811->5812 5813 10002ab2 5812->5813

                                              Executed Functions

                                              Function 0040326A Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401stringfilecomCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 0 40326a-40329c SetErrorMode GetVersion 1 40329e-4032a6 call 4063f5 0->1 2 4032af-403342 call 406389 * 3 call 4063f5 * 2 #17 OleInitialize SHGetFileInfoW call 40601f GetCommandLineW call 40601f GetModuleHandleW 0->2 1->2 7 4032a8 1->7 20 403344-40334b 2->20 21 40334c-403366 call 405a00 CharNextW 2->21 7->2 20->21 24 40336c-403372 21->24 25 40347e-403498 GetTempPathW call 403239 21->25 27 403374-403379 24->27 28 40337b-403381 24->28 32 4034f0-40350a DeleteFileW call 402dee 25->32 33 40349a-4034b8 GetWindowsDirectoryW lstrcatW call 403239 25->33 27->27 27->28 30 403383-403387 28->30 31 403388-40338c 28->31 30->31 34 403392-403398 31->34 35 40344a-403457 call 405a00 31->35 53 403510-403516 32->53 54 4035bb-4035cc call 40378e OleUninitialize 32->54 33->32 50 4034ba-4034ea GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 403239 33->50 39 4033b2-4033eb 34->39 40 40339a-4033a1 34->40 51 403459-40345a 35->51 52 40345b-403461 35->52 43 403408-403442 39->43 44 4033ed-4033f2 39->44 41 4033a3-4033a6 40->41 42 4033a8 40->42 41->39 41->42 42->39 43->35 49 403444-403448 43->49 44->43 48 4033f4-4033fc 44->48 56 403403 48->56 57 4033fe-403401 48->57 49->35 58 403469-403477 call 40601f 49->58 50->32 50->54 51->52 52->24 60 403467 52->60 61 4035ab-4035b2 call 403868 53->61 62 40351c-403527 call 405a00 53->62 71 4036f2-4036f8 54->71 72 4035d2-4035e2 call 405764 ExitProcess 54->72 56->43 57->43 57->56 68 40347c 58->68 60->68 70 4035b7 61->70 73 403575-40357f 62->73 74 403529-40355e 62->74 68->25 70->54 76 403776-40377e 71->76 77 4036fa-403710 GetCurrentProcess OpenProcessToken 71->77 81 403581-40358f call 405adb 73->81 82 4035e8-4035fc call 4056e7 lstrcatW 73->82 78 403560-403564 74->78 79 403780 76->79 80 403784-403788 ExitProcess 76->80 84 403712-403740 LookupPrivilegeValueW AdjustTokenPrivileges 77->84 85 403746-403754 call 4063f5 77->85 86 403566-40356b 78->86 87 40356d-403571 78->87 79->80 81->54 97 403591-4035a7 call 40601f * 2 81->97 98 403609-403623 lstrcatW lstrcmpiW 82->98 99 4035fe-403604 lstrcatW 82->99 84->85 95 403762-40376d ExitWindowsEx 85->95 96 403756-403760 85->96 86->87 91 403573 86->91 87->78 87->91 91->73 95->76 100 40376f-403771 call 40140b 95->100 96->95 96->100 97->61 98->54 102 403625-403628 98->102 99->98 100->76 106 403631 call 4056ca 102->106 107 40362a-40362f call 40564d 102->107 112 403636-403644 SetCurrentDirectoryW 106->112 107->112 114 403651-40367a call 40601f 112->114 115 403646-40364c call 40601f 112->115 119 40367f-40369b call 406041 DeleteFileW 114->119 115->114 122 4036dc-4036e4 119->122 123 40369d-4036ad CopyFileW 119->123 122->119 124 4036e6-4036ed call 405ec0 122->124 123->122 125 4036af-4036cf call 405ec0 call 406041 call 4056ff 123->125 124->54 125->122 134 4036d1-4036d8 CloseHandle 125->134 134->122
                                              APIs
                                              • SetErrorMode.KERNELBASE ref: 0040328C
                                              • GetVersion.KERNEL32 ref: 00403292
                                              • #17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 004032E2
                                              • OleInitialize.OLE32(00000000), ref: 004032E9
                                              • SHGetFileInfoW.SHELL32(004206C8,00000000,?,000002B4,00000000), ref: 00403305
                                              • GetCommandLineW.KERNEL32(00428220,NSIS Error), ref: 0040331A
                                              • GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Unspuriousness.exe",00000000), ref: 0040332D
                                              • CharNextW.USER32(00000000,"C:\Users\user\Desktop\Unspuriousness.exe",00000020), ref: 00403354
                                                • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                              • GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040348F
                                              • GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034A0
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034AC
                                              • GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034C0
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034C8
                                              • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 004034D9
                                              • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 004034E1
                                              • DeleteFileW.KERNELBASE(1033), ref: 004034F5
                                                • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                              • OleUninitialize.OLE32(?), ref: 004035C0
                                              • ExitProcess.KERNEL32 ref: 004035E2
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004035F5
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040926C), ref: 00403604
                                              • lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040360F
                                              • lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Unspuriousness.exe",00000000,?), ref: 0040361B
                                              • SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403637
                                              • DeleteFileW.KERNEL32(0041FEC8,0041FEC8,?,0042A000,?), ref: 00403691
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\Unspuriousness.exe,0041FEC8,00000001), ref: 004036A5
                                              • CloseHandle.KERNEL32(00000000,0041FEC8,0041FEC8,?,0041FEC8,00000000), ref: 004036D2
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403701
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 00403708
                                              • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040371D
                                              • AdjustTokenPrivileges.ADVAPI32 ref: 00403740
                                              • ExitWindowsEx.USER32(00000002,80040002), ref: 00403765
                                              • ExitProcess.KERNEL32 ref: 00403788
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
                                              • String ID: "C:\Users\user\Desktop\Unspuriousness.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$C:\Users\user\AppData\Local\outsplendour\urite\autograferet$C:\Users\user\Desktop$C:\Users\user\Desktop\Unspuriousness.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
                                              • API String ID: 3586999533-488382804
                                              • Opcode ID: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                              • Instruction ID: 47b2dd04bf5340fec55df09ad24e258ddf9dfe897e1895205e314fce2ef220c4
                                              • Opcode Fuzzy Hash: fda6c057a4537dba88034d229a92b30a1776572ee97949e398e0e99b98fea1a3
                                              • Instruction Fuzzy Hash: 08D12770604200BAD720BF659D49A3B3AACEB4170AF50487FF441B61D2DB7D9941CB6E
                                              Function 004052BD Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 135 4052bd-4052d8 136 405467-40546e 135->136 137 4052de-4053a5 GetDlgItem * 3 call 404118 call 404a1b GetClientRect GetSystemMetrics SendMessageW * 2 135->137 139 405470-405492 GetDlgItem CreateThread FindCloseChangeNotification 136->139 140 405498-4054a5 136->140 155 4053c3-4053c6 137->155 156 4053a7-4053c1 SendMessageW * 2 137->156 139->140 142 4054c3-4054cd 140->142 143 4054a7-4054ad 140->143 147 405523-405527 142->147 148 4054cf-4054d5 142->148 145 4054e8-4054f1 call 40414a 143->145 146 4054af-4054be ShowWindow * 2 call 404118 143->146 159 4054f6-4054fa 145->159 146->142 147->145 150 405529-40552f 147->150 152 4054d7-4054e3 call 4040bc 148->152 153 4054fd-40550d ShowWindow 148->153 150->145 157 405531-405544 SendMessageW 150->157 152->145 160 40551d-40551e call 4040bc 153->160 161 40550f-405518 call 40517e 153->161 164 4053d6-4053ed call 4040e3 155->164 165 4053c8-4053d4 SendMessageW 155->165 156->155 166 405646-405648 157->166 167 40554a-405575 CreatePopupMenu call 406041 AppendMenuW 157->167 160->147 161->160 174 405423-405444 GetDlgItem SendMessageW 164->174 175 4053ef-405403 ShowWindow 164->175 165->164 166->159 172 405577-405587 GetWindowRect 167->172 173 40558a-40559f TrackPopupMenu 167->173 172->173 173->166 177 4055a5-4055bc 173->177 174->166 176 40544a-405462 SendMessageW * 2 174->176 178 405412 175->178 179 405405-405410 ShowWindow 175->179 176->166 180 4055c1-4055dc SendMessageW 177->180 181 405418-40541e call 404118 178->181 179->181 180->180 182 4055de-405601 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 180->182 181->174 184 405603-40562a SendMessageW 182->184 184->184 185 40562c-405640 GlobalUnlock SetClipboardData CloseClipboard 184->185 185->166
                                              APIs
                                              • GetDlgItem.USER32(?,00000403), ref: 0040531B
                                              • GetDlgItem.USER32(?,000003EE), ref: 0040532A
                                              • GetClientRect.USER32(?,?), ref: 00405367
                                              • GetSystemMetrics.USER32(00000002), ref: 0040536E
                                              • SendMessageW.USER32(?,00001061,00000000,?), ref: 0040538F
                                              • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053A0
                                              • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053B3
                                              • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053C1
                                              • SendMessageW.USER32(?,00001024,00000000,?), ref: 004053D4
                                              • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004053F6
                                              • ShowWindow.USER32(?,00000008), ref: 0040540A
                                              • GetDlgItem.USER32(?,000003EC), ref: 0040542B
                                              • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040543B
                                              • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405454
                                              • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405460
                                              • GetDlgItem.USER32(?,000003F8), ref: 00405339
                                                • Part of subcall function 00404118: SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                              • GetDlgItem.USER32(?,000003EC), ref: 0040547D
                                              • CreateThread.KERNELBASE(00000000,00000000,Function_00005251,00000000), ref: 0040548B
                                              • FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405492
                                              • ShowWindow.USER32(00000000), ref: 004054B6
                                              • ShowWindow.USER32(?,00000008), ref: 004054BB
                                              • ShowWindow.USER32(00000008), ref: 00405505
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405539
                                              • CreatePopupMenu.USER32 ref: 0040554A
                                              • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040555E
                                              • GetWindowRect.USER32(?,?), ref: 0040557E
                                              • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405597
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 004055CF
                                              • OpenClipboard.USER32(00000000), ref: 004055DF
                                              • EmptyClipboard.USER32 ref: 004055E5
                                              • GlobalAlloc.KERNEL32(00000042,00000000), ref: 004055F1
                                              • GlobalLock.KERNEL32(00000000), ref: 004055FB
                                              • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040560F
                                              • GlobalUnlock.KERNEL32(00000000), ref: 0040562F
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 0040563A
                                              • CloseClipboard.USER32 ref: 00405640
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                              • String ID: {
                                              • API String ID: 4154960007-366298937
                                              • Opcode ID: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                              • Instruction ID: 3cf410e3b9716a944c4f9a47a0d896a4f96f7db2f8ccf501d1eae2c46102dad2
                                              • Opcode Fuzzy Hash: da2ca2b418a71cb7626a400892366c561e1cdf4532a0086df1c8728d7d787aa1
                                              • Instruction Fuzzy Hash: 85B13A71900208FFDB21AF60DD85AAE7B79FB44355F40803AFA01BA1A0C7755E52DF69
                                              Function 00406041 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207stringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 430 406041-40604c 431 40604e-40605d 430->431 432 40605f-406075 430->432 431->432 433 40607b-406088 432->433 434 40628d-406293 432->434 433->434 437 40608e-406095 433->437 435 406299-4062a4 434->435 436 40609a-4060a7 434->436 438 4062a6-4062aa call 40601f 435->438 439 4062af-4062b0 435->439 436->435 440 4060ad-4060b9 436->440 437->434 438->439 442 40627a 440->442 443 4060bf-4060fb 440->443 444 406288-40628b 442->444 445 40627c-406286 442->445 446 406101-40610c GetVersion 443->446 447 40621b-40621f 443->447 444->434 445->434 450 406126 446->450 451 40610e-406112 446->451 448 406221-406225 447->448 449 406254-406258 447->449 453 406235-406242 call 40601f 448->453 454 406227-406233 call 405f66 448->454 456 406267-406278 lstrlenW 449->456 457 40625a-406262 call 406041 449->457 455 40612d-406134 450->455 451->450 452 406114-406118 451->452 452->450 458 40611a-40611e 452->458 468 406247-406250 453->468 454->468 460 406136-406138 455->460 461 406139-40613b 455->461 456->434 457->456 458->450 464 406120-406124 458->464 460->461 466 406177-40617a 461->466 467 40613d-40615a call 405eec 461->467 464->455 471 40618a-40618d 466->471 472 40617c-406188 GetSystemDirectoryW 466->472 475 40615f-406163 467->475 468->456 470 406252 468->470 476 406213-406219 call 4062b3 470->476 473 4061f8-4061fa 471->473 474 40618f-40619d GetWindowsDirectoryW 471->474 477 4061fc-406200 472->477 473->477 478 40619f-4061a9 473->478 474->473 479 406202-406206 475->479 480 406169-406172 call 406041 475->480 476->456 477->476 477->479 482 4061c3-4061d9 SHGetSpecialFolderLocation 478->482 483 4061ab-4061ae 478->483 479->476 485 406208-40620e lstrcatW 479->485 480->477 488 4061f4 482->488 489 4061db-4061f2 SHGetPathFromIDListW CoTaskMemFree 482->489 483->482 487 4061b0-4061b7 483->487 485->476 491 4061bf-4061c1 487->491 488->473 489->477 489->488 491->477 491->482
                                              APIs
                                              • GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406104
                                              • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406182
                                              • GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 00406195
                                              • SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004061D1
                                              • SHGetPathFromIDListW.SHELL32(?,Call), ref: 004061DF
                                              • CoTaskMemFree.OLE32(?), ref: 004061EA
                                              • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040620E
                                              • lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,?,004051B5,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,00000000,0040FEC0), ref: 00406268
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                                              • String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                              • API String ID: 900638850-84844405
                                              • Opcode ID: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                              • Instruction ID: fd30239bcabdd6b9b5dacf38e9278243e7343c89492a0aeb8152419411716c6f
                                              • Opcode Fuzzy Hash: 2cf121e3e7616b5f5fc1bd3774cadb37834e6b4aa39da4076735cc4ba433a86e
                                              • Instruction Fuzzy Hash: 70614771A00101ABDF209F64CC40AAE37A5AF51314F12817FE916BA2D1D73D89A2CB5E
                                              Function 00405810 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148filestringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 492 405810-405836 call 405adb 495 405838-40584a DeleteFileW 492->495 496 40584f-405856 492->496 497 4059cc-4059d0 495->497 498 405858-40585a 496->498 499 405869-405879 call 40601f 496->499 501 405860-405863 498->501 502 40597a-40597f 498->502 505 405888-405889 call 405a1f 499->505 506 40587b-405886 lstrcatW 499->506 501->499 501->502 502->497 504 405981-405984 502->504 507 405986-40598c 504->507 508 40598e-405996 call 406362 504->508 509 40588e-405892 505->509 506->509 507->497 508->497 516 405998-4059ac call 4059d3 call 4057c8 508->516 512 405894-40589c 509->512 513 40589e-4058a4 lstrcatW 509->513 512->513 515 4058a9-4058c5 lstrlenW FindFirstFileW 512->515 513->515 517 4058cb-4058d3 515->517 518 40596f-405973 515->518 534 4059c4-4059c7 call 40517e 516->534 535 4059ae-4059b1 516->535 521 4058f3-405907 call 40601f 517->521 522 4058d5-4058dd 517->522 518->502 520 405975 518->520 520->502 532 405909-405911 521->532 533 40591e-405929 call 4057c8 521->533 524 405952-405962 FindNextFileW 522->524 525 4058df-4058e7 522->525 524->517 528 405968-405969 FindClose 524->528 525->521 529 4058e9-4058f1 525->529 528->518 529->521 529->524 532->524 537 405913-40591c call 405810 532->537 545 40594a-40594d call 40517e 533->545 546 40592b-40592e 533->546 534->497 535->507 536 4059b3-4059c2 call 40517e call 405ec0 535->536 536->497 537->524 545->524 548 405930-405940 call 40517e call 405ec0 546->548 549 405942-405948 546->549 548->524 549->524
                                              APIs
                                              • DeleteFileW.KERNELBASE(?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 00405839
                                              • lstrcatW.KERNEL32(00424710,\*.*), ref: 00405881
                                              • lstrcatW.KERNEL32(?,00409014), ref: 004058A4
                                              • lstrlenW.KERNEL32(?,?,00409014,?,00424710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 004058AA
                                              • FindFirstFileW.KERNEL32(00424710,?,?,?,00409014,?,00424710,?,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 004058BA
                                              • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,00409300,0000002E), ref: 0040595A
                                              • FindClose.KERNEL32(00000000), ref: 00405969
                                              Strings
                                              • \*.*, xrefs: 0040587B
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 0040581D
                                              • "C:\Users\user\Desktop\Unspuriousness.exe", xrefs: 00405819
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                              • String ID: "C:\Users\user\Desktop\Unspuriousness.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
                                              • API String ID: 2035342205-717675726
                                              • Opcode ID: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                              • Instruction ID: d8405d9d0b65c0b5bb91e26b2d86fa163654aae1973f92c1c3fedea70a861e09
                                              • Opcode Fuzzy Hash: 444c957dec2a676252e87809a4c54072b8c76e9a6927f2055d166312a46e5fa8
                                              • Instruction Fuzzy Hash: EA41F271800A18FACB21BB658C49BBF7A78EB81365F10817BF805711D1C77C4D919EAE
                                              Function 004066E3 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                              • Instruction ID: 25739d06ab219284b51534763859987154442e2999ed31f69dfe775b8bf1d6bb
                                              • Opcode Fuzzy Hash: 4d5afdfc0dd836d6b0ea96e9b1d1cc0e1a6a0a23e9a334f3c2dfe03cdace4acf
                                              • Instruction Fuzzy Hash: 09F17671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44
                                              Function 00406362 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(74DF3420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                              • FindClose.KERNEL32(00000000), ref: 00406379
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Find$CloseFileFirst
                                              • String ID: XWB
                                              • API String ID: 2295610775-4039527733
                                              • Opcode ID: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                              • Instruction ID: b60ab41fd2821b41d0b392bba1ac2053f61c2dcbfada57179e30504603363e2d
                                              • Opcode Fuzzy Hash: 0fc78072580e2aa021d4eb5561dc00c277e918fd128e5e9fad30f275acd9c25d
                                              • Instruction Fuzzy Hash: BBD0123194C1209FD3401778BD0C88B7B989B553317214B72FD2AF23E0C3388C6586D9
                                              Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040280A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FileFindFirst
                                              • String ID:
                                              • API String ID: 1974802433-0
                                              • Opcode ID: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                              • Instruction ID: 5886dfe4bc611d4993f15ed40ae28ce81127269af5662ddb55851ccd49cbf6f1
                                              • Opcode Fuzzy Hash: 969cbda3b3cfe11703c14b4ce8f4b9b3fb4feaebf9848e8514cb89d3c6c7a4d8
                                              • Instruction Fuzzy Hash: 10F05E71A00115ABC711EFA4DD49AAEB378FF04324F1005BBF105E21E1D6B89A409B29
                                              Function 00403C0B Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 186 403c0b-403c1d 187 403c23-403c29 186->187 188 403d5e-403d6d 186->188 187->188 189 403c2f-403c38 187->189 190 403dbc-403dd1 188->190 191 403d6f-403db7 GetDlgItem * 2 call 4040e3 SetClassLongW call 40140b 188->191 192 403c3a-403c47 SetWindowPos 189->192 193 403c4d-403c50 189->193 195 403e11-403e16 call 40412f 190->195 196 403dd3-403dd6 190->196 191->190 192->193 197 403c52-403c64 ShowWindow 193->197 198 403c6a-403c70 193->198 203 403e1b-403e36 195->203 200 403dd8-403de3 call 401389 196->200 201 403e09-403e0b 196->201 197->198 204 403c72-403c87 DestroyWindow 198->204 205 403c8c-403c8f 198->205 200->201 223 403de5-403e04 SendMessageW 200->223 201->195 208 4040b0 201->208 209 403e38-403e3a call 40140b 203->209 210 403e3f-403e45 203->210 212 40408d-404093 204->212 214 403c91-403c9d SetWindowLongW 205->214 215 403ca2-403ca8 205->215 211 4040b2-4040b9 208->211 209->210 219 403e4b-403e56 210->219 220 40406e-404087 DestroyWindow EndDialog 210->220 212->208 217 404095-40409b 212->217 214->211 221 403d4b-403d59 call 40414a 215->221 222 403cae-403cbf GetDlgItem 215->222 217->208 224 40409d-4040a6 ShowWindow 217->224 219->220 225 403e5c-403ea9 call 406041 call 4040e3 * 3 GetDlgItem 219->225 220->212 221->211 226 403cc1-403cd8 SendMessageW IsWindowEnabled 222->226 227 403cde-403ce1 222->227 223->211 224->208 256 403eb3-403eef ShowWindow KiUserCallbackDispatcher call 404105 EnableWindow 225->256 257 403eab-403eb0 225->257 226->208 226->227 231 403ce3-403ce4 227->231 232 403ce6-403ce9 227->232 234 403d14-403d19 call 4040bc 231->234 235 403cf7-403cfc 232->235 236 403ceb-403cf1 232->236 234->221 237 403d32-403d45 SendMessageW 235->237 238 403cfe-403d04 235->238 236->237 241 403cf3-403cf5 236->241 237->221 242 403d06-403d0c call 40140b 238->242 243 403d1b-403d24 call 40140b 238->243 241->234 252 403d12 242->252 243->221 253 403d26-403d30 243->253 252->234 253->252 260 403ef1-403ef2 256->260 261 403ef4 256->261 257->256 262 403ef6-403f24 GetSystemMenu EnableMenuItem SendMessageW 260->262 261->262 263 403f26-403f37 SendMessageW 262->263 264 403f39 262->264 265 403f3f-403f7d call 404118 call 40601f lstrlenW call 406041 SetWindowTextW call 401389 263->265 264->265 265->203 274 403f83-403f85 265->274 274->203 275 403f8b-403f8f 274->275 276 403f91-403f97 275->276 277 403fae-403fc2 DestroyWindow 275->277 276->208 278 403f9d-403fa3 276->278 277->212 279 403fc8-403ff5 CreateDialogParamW 277->279 278->203 280 403fa9 278->280 279->212 281 403ffb-404052 call 4040e3 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 279->281 280->208 281->208 286 404054-404067 ShowWindow call 40412f 281->286 288 40406c 286->288 288->212
                                              APIs
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C47
                                              • ShowWindow.USER32(?), ref: 00403C64
                                              • DestroyWindow.USER32 ref: 00403C78
                                              • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403C94
                                              • GetDlgItem.USER32(?,?), ref: 00403CB5
                                              • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CC9
                                              • IsWindowEnabled.USER32(00000000), ref: 00403CD0
                                              • GetDlgItem.USER32(?,00000001), ref: 00403D7E
                                              • GetDlgItem.USER32(?,00000002), ref: 00403D88
                                              • SetClassLongW.USER32(?,000000F2,?), ref: 00403DA2
                                              • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403DF3
                                              • GetDlgItem.USER32(?,00000003), ref: 00403E99
                                              • ShowWindow.USER32(00000000,?), ref: 00403EBA
                                              • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403ECC
                                              • EnableWindow.USER32(?,?), ref: 00403EE7
                                              • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403EFD
                                              • EnableMenuItem.USER32(00000000), ref: 00403F04
                                              • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F1C
                                              • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F2F
                                              • lstrlenW.KERNEL32(00422708,?,00422708,00428220), ref: 00403F58
                                              • SetWindowTextW.USER32(?,00422708), ref: 00403F6C
                                              • ShowWindow.USER32(?,0000000A), ref: 004040A0
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                              • String ID:
                                              • API String ID: 3282139019-0
                                              • Opcode ID: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                              • Instruction ID: 61cac7681639d4f9e887145b94be1570fe16d39d0a036e069046cfcd2a92ab20
                                              • Opcode Fuzzy Hash: 18a99261430c4225635231928db8a64f2f43d3b33d48ccba4c43f88b8e0e4f23
                                              • Instruction Fuzzy Hash: 3BC1C071A04200BBDB316F61ED84E2B3AACEB95705F50053EF601B11F1CB799992DB6E
                                              Function 00403868 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215stringregistryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 289 403868-403880 call 4063f5 292 403882-403892 call 405f66 289->292 293 403894-4038cb call 405eec 289->293 301 4038ee-403917 call 403b3e call 405adb 292->301 297 4038e3-4038e9 lstrcatW 293->297 298 4038cd-4038de call 405eec 293->298 297->301 298->297 307 4039a9-4039b1 call 405adb 301->307 308 40391d-403922 301->308 314 4039b3-4039ba call 406041 307->314 315 4039bf-4039e4 LoadImageW 307->315 308->307 309 403928-403942 call 405eec 308->309 313 403947-403950 309->313 313->307 318 403952-403956 313->318 314->315 316 403a65-403a6d call 40140b 315->316 317 4039e6-403a16 RegisterClassW 315->317 331 403a77-403a82 call 403b3e 316->331 332 403a6f-403a72 316->332 320 403b34 317->320 321 403a1c-403a60 SystemParametersInfoW CreateWindowExW 317->321 323 403968-403974 lstrlenW 318->323 324 403958-403965 call 405a00 318->324 329 403b36-403b3d 320->329 321->316 325 403976-403984 lstrcmpiW 323->325 326 40399c-4039a4 call 4059d3 call 40601f 323->326 324->323 325->326 330 403986-403990 GetFileAttributesW 325->330 326->307 335 403992-403994 330->335 336 403996-403997 call 405a1f 330->336 342 403a88-403aa2 ShowWindow call 406389 331->342 343 403b0b-403b0c call 405251 331->343 332->329 335->326 335->336 336->326 350 403aa4-403aa9 call 406389 342->350 351 403aae-403ac0 GetClassInfoW 342->351 346 403b11-403b13 343->346 348 403b15-403b1b 346->348 349 403b2d-403b2f call 40140b 346->349 348->332 352 403b21-403b28 call 40140b 348->352 349->320 350->351 355 403ac2-403ad2 GetClassInfoW RegisterClassW 351->355 356 403ad8-403afb DialogBoxParamW call 40140b 351->356 352->332 355->356 359 403b00-403b09 call 4037b8 356->359 359->329
                                              APIs
                                                • Part of subcall function 004063F5: GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                                • Part of subcall function 004063F5: GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                              • lstrcatW.KERNEL32(1033,00422708), ref: 004038E9
                                              • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000,00000002,74DF3420), ref: 00403969
                                              • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\outsplendour\urite,1033,00422708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422708,00000000), ref: 0040397C
                                              • GetFileAttributesW.KERNEL32(Call), ref: 00403987
                                              • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\outsplendour\urite), ref: 004039D0
                                                • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                              • RegisterClassW.USER32(004281C0), ref: 00403A0D
                                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A25
                                              • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A5A
                                              • ShowWindow.USER32(00000005,00000000), ref: 00403A90
                                              • GetClassInfoW.USER32(00000000,RichEdit20W,004281C0), ref: 00403ABC
                                              • GetClassInfoW.USER32(00000000,RichEdit,004281C0), ref: 00403AC9
                                              • RegisterClassW.USER32(004281C0), ref: 00403AD2
                                              • DialogBoxParamW.USER32(?,00000000,00403C0B,00000000), ref: 00403AF1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: "C:\Users\user\Desktop\Unspuriousness.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\outsplendour\urite$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                              • API String ID: 1975747703-1124712588
                                              • Opcode ID: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                              • Instruction ID: 2be98759588b12f3ea5babf1b6ec1a1322f2c31473ef1d4f92accd895ea03b39
                                              • Opcode Fuzzy Hash: db80b2588597b3e26acc2e4c4de499a3f9846f615b8d16b47e4426e139c46013
                                              • Instruction Fuzzy Hash: C861A670644200BAD220AF669D45F3B3A6CEB84749F80457FF941B22E2CB7C6D01CA7E
                                              Function 00402DEE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 363 402dee-402e3c GetTickCount GetModuleFileNameW call 405bf4 366 402e48-402e76 call 40601f call 405a1f call 40601f GetFileSize 363->366 367 402e3e-402e43 363->367 375 402f63-402f71 call 402d8a 366->375 376 402e7c 366->376 368 403020-403024 367->368 382 402f73-402f76 375->382 383 402fc6-402fcb 375->383 378 402e81-402e98 376->378 380 402e9a 378->380 381 402e9c-402ea5 call 40320c 378->381 380->381 389 402eab-402eb2 381->389 390 402fcd-402fd5 call 402d8a 381->390 385 402f78-402f90 call 403222 call 40320c 382->385 386 402f9a-402fc4 GlobalAlloc call 403222 call 403027 382->386 383->368 385->383 411 402f92-402f98 385->411 386->383 409 402fd7-402fe8 386->409 394 402eb4-402ec8 call 405baf 389->394 395 402f2e-402f32 389->395 390->383 400 402f3c-402f42 394->400 414 402eca-402ed1 394->414 399 402f34-402f3b call 402d8a 395->399 395->400 399->400 406 402f51-402f5b 400->406 407 402f44-402f4e call 4064a6 400->407 406->378 410 402f61 406->410 407->406 416 402ff0-402ff5 409->416 417 402fea 409->417 410->375 411->383 411->386 414->400 415 402ed3-402eda 414->415 415->400 419 402edc-402ee3 415->419 420 402ff6-402ffc 416->420 417->416 419->400 421 402ee5-402eec 419->421 420->420 422 402ffe-403019 SetFilePointer call 405baf 420->422 421->400 423 402eee-402f0e 421->423 426 40301e 422->426 423->383 425 402f14-402f18 423->425 427 402f20-402f28 425->427 428 402f1a-402f1e 425->428 426->368 427->400 429 402f2a-402f2c 427->429 428->410 428->427 429->400
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00402DFF
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Unspuriousness.exe,00000400,?,?,00000000,00403504,?), ref: 00402E1B
                                                • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                              • GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unspuriousness.exe,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00402E67
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: File$AttributesCountCreateModuleNameSizeTick
                                              • String ID: "C:\Users\user\Desktop\Unspuriousness.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Unspuriousness.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                              • API String ID: 4283519449-3188520421
                                              • Opcode ID: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                              • Instruction ID: cad0cac5a7d3da6b721da94722abfb33afad8597fd9771d3107dd1117b6c1d4f
                                              • Opcode Fuzzy Hash: b725974a6df1d82cb729a900034c9e7c9e4530fc883352e2762ffba139ff69ae
                                              • Instruction Fuzzy Hash: EA51D471901216ABDB209F64DE89B9E7BB8EB04354F20407BF904F62D1C7BC9D419BAD
                                              Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • lstrcatW.KERNEL32(00000000,00000000), ref: 004017A8
                                              • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\outsplendour\urite\autograferet,?,?,00000031), ref: 004017CD
                                                • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00403160), ref: 004051D9
                                                • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll), ref: 004051EB
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                              • String ID: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp$C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll$C:\Users\user\AppData\Local\outsplendour\urite\autograferet$Call
                                              • API String ID: 1941528284-2591477082
                                              • Opcode ID: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                              • Instruction ID: e39dfb19bb2720adffc224853af95c022162de9bd11196ce21bc9617d3384428
                                              • Opcode Fuzzy Hash: 1af66f6b7640f5d51d4aa18a28294518de0f7505a6e023cac1eb676d37d1de9b
                                              • Instruction Fuzzy Hash: 9041D571900515BACF20BFB5CC45DAF3679EF45328B20427BF422B50E2DB3C8A519A6D
                                              Function 0040517E Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 622 40517e-405193 623 405199-4051aa 622->623 624 40524a-40524e 622->624 625 4051b5-4051c1 lstrlenW 623->625 626 4051ac-4051b0 call 406041 623->626 628 4051c3-4051d3 lstrlenW 625->628 629 4051de-4051e2 625->629 626->625 628->624 630 4051d5-4051d9 lstrcatW 628->630 631 4051f1-4051f5 629->631 632 4051e4-4051eb SetWindowTextW 629->632 630->629 633 4051f7-405239 SendMessageW * 3 631->633 634 40523b-40523d 631->634 632->631 633->634 634->624 635 40523f-405242 634->635 635->624
                                              APIs
                                              • lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                              • lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                              • lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00403160), ref: 004051D9
                                              • SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll), ref: 004051EB
                                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                              • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                              • SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                              • String ID: Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll
                                              • API String ID: 2531174081-3687871134
                                              • Opcode ID: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                              • Instruction ID: 21bddbe199db3e121897d5596c22f00b0e76f5ccd37bc28327e30b1938552548
                                              • Opcode Fuzzy Hash: b3b426c8c96c0d6a6cce16e65ff4c744bbf9f5044ab1cc25101196bb62a9e0e5
                                              • Instruction Fuzzy Hash: 9E219D71900118BACB219FA5DD84ACFBFB9EF58350F14807AF904B62A0C7798A41CF68
                                              Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 636 4025e5-4025fa call 402ba2 639 402600-402607 636->639 640 402a4c-402a4f 636->640 642 402609 639->642 643 40260c-40260f 639->643 641 402a55-402a5b 640->641 642->643 644 402773-40277b 643->644 645 402615-402624 call 405f7f 643->645 644->640 645->644 649 40262a 645->649 650 402630-402634 649->650 651 4026c9-4026cc 650->651 652 40263a-402655 ReadFile 650->652 654 4026e4-4026f4 call 405c77 651->654 655 4026ce-4026d1 651->655 652->644 653 40265b-402660 652->653 653->644 658 402666-402674 653->658 654->644 664 4026f6 654->664 655->654 656 4026d3-4026de call 405cd5 655->656 656->644 656->654 661 40267a-40268c MultiByteToWideChar 658->661 662 40272f-40273b call 405f66 658->662 661->664 665 40268e-402691 661->665 662->641 667 4026f9-4026fc 664->667 668 402693-40269e 665->668 667->662 670 4026fe-402703 667->670 668->667 671 4026a0-4026c5 SetFilePointer MultiByteToWideChar 668->671 672 402740-402744 670->672 673 402705-40270a 670->673 671->668 674 4026c7 671->674 675 402761-40276d SetFilePointer 672->675 676 402746-40274a 672->676 673->672 677 40270c-40271f 673->677 674->664 675->644 678 402752-40275f 676->678 679 40274c-402750 676->679 677->644 680 402721-402727 677->680 678->644 679->675 679->678 680->650 681 40272d 680->681 681->644
                                              APIs
                                              • ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
                                              • SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
                                              • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1
                                                • Part of subcall function 00405CD5: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405CEB
                                              • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: File$Pointer$ByteCharMultiWide$Read
                                              • String ID: 9
                                              • API String ID: 163830602-2366072709
                                              • Opcode ID: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                              • Instruction ID: 56da5788d6d90062f79809d4a3c22d6e203981add65e083e01e3e907f30c056e
                                              • Opcode Fuzzy Hash: 54de609a95a039770bb902f2e006f13192118be6fe7c7de42288ab6e45ce79fa
                                              • Instruction Fuzzy Hash: 3F512774D0021AAADF209F94CA88AAEB779FF04344F50447BE501F72E0D7B99D429B69
                                              Function 00403027 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 682 403027-40303e 683 403040 682->683 684 403047-40304f 682->684 683->684 685 403051 684->685 686 403056-40305b 684->686 685->686 687 40306b-403078 call 40320c 686->687 688 40305d-403066 call 403222 686->688 692 4031c3 687->692 693 40307e-403082 687->693 688->687 696 4031c5-4031c6 692->696 694 403088-4030a8 GetTickCount call 406514 693->694 695 4031ac-4031ae 693->695 706 403202 694->706 708 4030ae-4030b6 694->708 697 4031b0-4031b3 695->697 698 4031f7-4031fb 695->698 700 403205-403209 696->700 701 4031b5 697->701 702 4031b8-4031c1 call 40320c 697->702 703 4031c8-4031ce 698->703 704 4031fd 698->704 701->702 702->692 715 4031ff 702->715 709 4031d0 703->709 710 4031d3-4031e1 call 40320c 703->710 704->706 706->700 712 4030b8 708->712 713 4030bb-4030c9 call 40320c 708->713 709->710 710->692 719 4031e3-4031ef call 405ca6 710->719 712->713 713->692 721 4030cf-4030d8 713->721 715->706 724 4031f1-4031f4 719->724 725 4031a8-4031aa 719->725 723 4030de-4030fb call 406534 721->723 728 403101-403118 GetTickCount 723->728 729 4031a4-4031a6 723->729 724->698 725->696 730 403163-403165 728->730 731 40311a-403122 728->731 729->696 734 403167-40316b 730->734 735 403198-40319c 730->735 732 403124-403128 731->732 733 40312a-40315b MulDiv wsprintfW call 40517e 731->733 732->730 732->733 740 403160 733->740 737 403180-403186 734->737 738 40316d-403172 call 405ca6 734->738 735->708 739 4031a2 735->739 742 40318c-403190 737->742 743 403177-403179 738->743 739->706 740->730 742->723 744 403196 742->744 743->725 745 40317b-40317e 743->745 744->706 745->742
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CountTick$wsprintf
                                              • String ID: ... %d%%
                                              • API String ID: 551687249-2449383134
                                              • Opcode ID: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                              • Instruction ID: dc339ecebd5a12fc0f5e273b782e0acc65c92b35cb5ec2ffb99f959b3dc2fe49
                                              • Opcode Fuzzy Hash: cf664cf4806fb32f7aca161fbd37ecbefe006222c1d77f285591627fdb242337
                                              • Instruction Fuzzy Hash: CC517A71900219ABDB10DF65D904B9F3FA8AF04766F14427BF911BB2C5C7789E408BE9
                                              Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 746 40237b-4023c1 call 402cb4 call 402bbf * 2 RegCreateKeyExW 753 4023c7-4023cf 746->753 754 402a4c-402a5b 746->754 756 4023d1-4023de call 402bbf lstrlenW 753->756 757 4023e2-4023e5 753->757 756->757 760 4023f5-4023f8 757->760 761 4023e7-4023f4 call 402ba2 757->761 764 402409-40241d RegSetValueExW 760->764 765 4023fa-402404 call 403027 760->765 761->760 766 402422-4024fc RegCloseKey 764->766 767 40241f 764->767 765->764 766->754 771 40281e-402825 766->771 767->766 771->754
                                              APIs
                                              • RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
                                              • lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
                                              • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CloseCreateValuelstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp
                                              • API String ID: 1356686001-1041218443
                                              • Opcode ID: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                              • Instruction ID: 7111b63e716528206d7143fef0c5d48aa4ff5df43585b472b347a68cc626e816
                                              • Opcode Fuzzy Hash: faa0c319964157a57b2cf8d64ada1b3f5c69c223d93d5798c03e55b357c281b0
                                              • Instruction Fuzzy Hash: 5B11AE71E00108BFEB10EFA4DD89DAE76BCEB04358F10403AF904B21D1D6B85E419628
                                              Function 0040564D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 772 40564d-405698 CreateDirectoryW 773 40569a-40569c 772->773 774 40569e-4056ab GetLastError 772->774 775 4056c5-4056c7 773->775 774->775 776 4056ad-4056c1 SetFileSecurityW 774->776 776->773 777 4056c3 GetLastError 776->777 777->775
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                              • GetLastError.KERNEL32 ref: 004056A4
                                              • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056B9
                                              • GetLastError.KERNEL32 ref: 004056C3
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405673
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ErrorLast$CreateDirectoryFileSecurity
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 3449924974-3081826266
                                              • Opcode ID: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                              • Instruction ID: d2f3f002a39499475f228c0a6bab6309b881bedc09a5d6a8f103fb05119b383a
                                              • Opcode Fuzzy Hash: 1b2f11e61ef5d0ea47512485c2032ecfb56833f92387a3fb2d2f530f64b4175b
                                              • Instruction Fuzzy Hash: DE010871D14219EAEF119FA0CD047EFBFB8EB14314F10853AD909B6190E779A604CFAA
                                              Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 778 402bff-402c28 RegOpenKeyExW 779 402c93-402c97 778->779 780 402c2a-402c35 778->780 781 402c50-402c60 RegEnumKeyW 780->781 782 402c62-402c74 RegCloseKey call 4063f5 781->782 783 402c37-402c3a 781->783 791 402c76-402c85 782->791 792 402c9a-402ca0 782->792 784 402c87-402c8a RegCloseKey 783->784 785 402c3c-402c4e call 402bff 783->785 787 402c90-402c92 784->787 785->781 785->782 787->779 791->779 792->787 793 402ca2-402cb0 RegDeleteKeyW 792->793 793->787 794 402cb2 793->794 794->779
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
                                              • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
                                              • RegCloseKey.ADVAPI32(?), ref: 00402C65
                                              • RegCloseKey.ADVAPI32(?), ref: 00402C8A
                                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Close$DeleteEnumOpen
                                              • String ID:
                                              • API String ID: 1912718029-0
                                              • Opcode ID: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                              • Instruction ID: 783455ef39ba97bad4d92773a6bd33e03ba47aaf13af7a3f43d32fd345691cd1
                                              • Opcode Fuzzy Hash: 2793c90fd49a5e1b605453f73a61c738209944c63e67e711cf318bb8db1452b8
                                              • Instruction Fuzzy Hash: 52115971908118FEEF119F90DE8CEAE3B79FB14384F100476FA05A10A0D3B49E52AA69
                                              Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 796 10001759-10001795 call 10001b18 800 100018a6-100018a8 796->800 801 1000179b-1000179f 796->801 802 100017a1-100017a7 call 10002286 801->802 803 100017a8-100017b5 call 100022d0 801->803 802->803 808 100017e5-100017ec 803->808 809 100017b7-100017bc 803->809 810 1000180c-10001810 808->810 811 100017ee-1000180a call 100024a9 call 100015b4 call 10001272 GlobalFree 808->811 812 100017d7-100017da 809->812 813 100017be-100017bf 809->813 814 10001812-1000184c call 100015b4 call 100024a9 810->814 815 1000184e-10001854 call 100024a9 810->815 837 10001855-10001859 811->837 812->808 816 100017dc-100017dd call 10002b5f 812->816 818 100017c1-100017c2 813->818 819 100017c7-100017c8 call 100028a4 813->819 814->837 815->837 830 100017e2 816->830 825 100017c4-100017c5 818->825 826 100017cf-100017d5 call 10002645 818->826 827 100017cd 819->827 825->808 825->819 836 100017e4 826->836 827->830 830->836 836->808 840 10001896-1000189d 837->840 841 1000185b-10001869 call 1000246c 837->841 840->800 843 1000189f-100018a0 GlobalFree 840->843 846 10001881-10001888 841->846 847 1000186b-1000186e 841->847 843->800 846->840 849 1000188a-10001895 call 1000153d 846->849 847->846 848 10001870-10001878 847->848 848->846 850 1000187a-1000187b FreeLibrary 848->850 849->840 850->846
                                              APIs
                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
                                                • Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D
                                              • GlobalFree.KERNEL32(00000000), ref: 10001804
                                              • FreeLibrary.KERNEL32(?), ref: 1000187B
                                              • GlobalFree.KERNEL32(00000000), ref: 100018A0
                                                • Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8
                                                • Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7
                                                • Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc$Librarylstrcpy
                                              • String ID:
                                              • API String ID: 1791698881-3916222277
                                              • Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                              • Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
                                              • Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
                                              • Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761
                                              Function 00405EEC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F16
                                              • RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F37
                                              • RegCloseKey.KERNELBASE(?,?,0040615F,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F5A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID: Call
                                              • API String ID: 3677997916-1824292864
                                              • Opcode ID: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                              • Instruction ID: c601889377c76b9115debbe7433e53646a10130b96f6f591fa827391142cde11
                                              • Opcode Fuzzy Hash: c3918b15ec2dd140c4f3d1bafefc28aadc87a0cff0ebfff7b8d124f540ee4f6a
                                              • Instruction Fuzzy Hash: 26010C3255020AEADB218F65ED09E9B3BACEF44350B004026F919D6260D735D964DFA5
                                              Function 00405C23 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetTickCount.KERNEL32 ref: 00405C41
                                              • GetTempFileNameW.KERNELBASE(00409300,?,00000000,?,?,?,00000000,00403268,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00405C5C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CountFileNameTempTick
                                              • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                              • API String ID: 1716503409-678247507
                                              • Opcode ID: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                              • Instruction ID: 4fdac09ee551a982241d11f866b864b283b1b610f450d112551ccb25b2c02e5c
                                              • Opcode Fuzzy Hash: f059ee56c8deccd03f6e154050eb187f2ccb3477461fa331799173a8e43ad9ef
                                              • Instruction Fuzzy Hash: 0EF03676B04208BFEB108F55DD49E9BB7ADEB95750F10403AF901F7150E6B0AE548758
                                              Function 00406389 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                              • wsprintfW.USER32 ref: 004063DB
                                              • LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: DirectoryLibraryLoadSystemwsprintf
                                              • String ID: %s%S.dll
                                              • API String ID: 2200240437-2744773210
                                              • Opcode ID: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                              • Instruction ID: 006adf5c24d44cc190f28e383f23d96ea846dcb1794efbef959ff2cbc64c9496
                                              • Opcode Fuzzy Hash: 8eb02a3bbd68b69db90ac38405ec0e3d1a99f1663c9491293569e02019d06da0
                                              • Instruction Fuzzy Hash: D6F09030910119EBDB14AB68DD4DEAB366CAB00304F104476A906F21E1E77CEA68CBE9
                                              Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00403160), ref: 004051D9
                                                • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll), ref: 004051EB
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                                • Part of subcall function 004056FF: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                                • Part of subcall function 004056FF: CloseHandle.KERNEL32(00409300), ref: 00405735
                                              • WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
                                              • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
                                              • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
                                              • String ID:
                                              • API String ID: 3585118688-0
                                              • Opcode ID: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                              • Instruction ID: f6705c9319aae76dbd7499045e6368890872edf6032e54a723c1862b254634bc
                                              • Opcode Fuzzy Hash: a1d795c7baf1e7290d110ce85c2d9cf729f4c63947e2ae07be1deb4f77e0bcaf
                                              • Instruction Fuzzy Hash: 7611A131900108EBCF21AFA1CD8499E7AB6EB04314F24407BF601B61E1C7798A819B9D
                                              Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 00405A8C
                                                • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                              • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612
                                                • Part of subcall function 0040564D: CreateDirectoryW.KERNELBASE(?,00409300,C:\Users\user\AppData\Local\Temp\), ref: 00405690
                                              • SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\outsplendour\urite\autograferet,?,00000000,000000F0), ref: 00401645
                                              Strings
                                              • C:\Users\user\AppData\Local\outsplendour\urite\autograferet, xrefs: 00401638
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                              • String ID: C:\Users\user\AppData\Local\outsplendour\urite\autograferet
                                              • API String ID: 1892508949-2631710045
                                              • Opcode ID: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                              • Instruction ID: 9984d83288963ddb5bfb53596c8c9f6ed7fbdeacdcadece23b283b8c4b9f7bd6
                                              • Opcode Fuzzy Hash: dd004403bb78615ebe310ef398b070af55ffdf45b6279b398ddf670e6eb8005a
                                              • Instruction Fuzzy Hash: 70119331504505EBCF206FA48D4199F3AB1EF44368B24097BEA05B61F2D63A4A819E5E
                                              Function 00405ADB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0040601F: lstrcpynW.KERNEL32(00409300,00409300,00000400,0040331A,00428220,NSIS Error), ref: 0040602C
                                                • Part of subcall function 00405A7E: CharNextW.USER32(?,?,00424F10,00409300,00405AF2,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 00405A8C
                                                • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405A91
                                                • Part of subcall function 00405A7E: CharNextW.USER32(00000000), ref: 00405AA9
                                              • lstrlenW.KERNEL32(00424F10,00000000,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Unspuriousness.exe"), ref: 00405B34
                                              • GetFileAttributesW.KERNELBASE(00424F10,00424F10,00424F10,00424F10,00424F10,00424F10,00000000,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 00405B44
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 00405ADB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 3248276644-3081826266
                                              • Opcode ID: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                              • Instruction ID: a8deb24d6afa2735206f329f0351f59021ff10951cf48c606255c952c9ad3203
                                              • Opcode Fuzzy Hash: 5cd88eb9c331bd035ef3732d22fdb38d6df270911e15b1e56a74679c362f2206
                                              • Instruction Fuzzy Hash: CBF04921304E5215D622323A1C44AAF3554CFC1364705073BB861721E1CB3C9943DE7E
                                              Function 004056FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425710,Error launching installer), ref: 00405728
                                              • CloseHandle.KERNEL32(00409300), ref: 00405735
                                              Strings
                                              • Error launching installer, xrefs: 00405712
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CloseCreateHandleProcess
                                              • String ID: Error launching installer
                                              • API String ID: 3712363035-66219284
                                              • Opcode ID: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                              • Instruction ID: 0e3d6bea0253e84bb75e95f5fd13ebb7f1c25267a9e23a2e11a0c59c818b3a51
                                              • Opcode Fuzzy Hash: b8225b8e790b3fd0efe802e75bacfbac7fa780f619c07fe13b6fa50099ed031b
                                              • Instruction Fuzzy Hash: A1E0BFB4A50209BFEB10AB64ED45F7B77ADE704604F408521BD10F6190D774A9118A79
                                              Function 00406B18 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                              • Instruction ID: 5fe4abb7369df3af91b149f2edb7ea720d50bcc67b973f9abb1089395dd24c70
                                              • Opcode Fuzzy Hash: f1b0bcb74e89e0527ce0e7aeb25a080aa3b7917c16b08ac734cf8879bcce8d5f
                                              • Instruction Fuzzy Hash: C0A14471E00229CBDF28CFA8C8546ADBBB1FF44305F11856AD956BB281C7785A96CF44
                                              Function 00406D19 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                              • Instruction ID: 7dc68a506d8d0f3fe9b520a6289ddaa7cfd75a66a39107a8603bac83b987cce9
                                              • Opcode Fuzzy Hash: 4d9f9556e65149fb8038c12abebdeeaff41015fbe822045bf8c0f712664e9a4c
                                              • Instruction Fuzzy Hash: 58912370D00229CBDF28CFA8C854BADBBB1FF44305F15816AD956BB291C7789A96CF44
                                              Function 00406A2F Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                              • Instruction ID: aa61b8b4d6b896fc10b82c5715850ba22d426d73d4dcb40af3c311b95fbd5bbf
                                              • Opcode Fuzzy Hash: fedee03a87f183305429df1632bc9847bb667c1ae34a6a4f86b425fb5205d62c
                                              • Instruction Fuzzy Hash: 1B815671E00229CFDF24CFA8C844BADBBB1FB44305F25816AD456BB291C7789A96CF54
                                              Function 00406534 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                              • Instruction ID: 6afa8d85982321809285efd67767f231e28451523f56623c0a237c64ba690010
                                              • Opcode Fuzzy Hash: e8c959f377d96a3870dba63dd65060f52c5bbf460a72db2a5b2be4756d911549
                                              • Instruction Fuzzy Hash: 7E816731E00229DBDF24CFA9D844BADBBB0FB44305F11816AE856BB2C0C7785A96DF44
                                              Function 00406982 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                              • Instruction ID: b0afa4bf9b2f32aef8b418d90c6ac84aec3754d6d6600e102a8a9184c58ea877
                                              • Opcode Fuzzy Hash: 0a8ee5da33216ad141207925d20784d11e66eebf924bd7a5457e3a8945fa9096
                                              • Instruction Fuzzy Hash: FD712471E00229DFDF24CFA8C844BADBBB1FB48305F15806AD846BB290C7395996DF54
                                              Function 00406AA0 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                              • Instruction ID: 02d0d75cb83947f83aad45c50880e4a386b83e744e149296eb7fa161ab999f08
                                              • Opcode Fuzzy Hash: 62bad76ded8dc27f8eed87459cf3b90d4506ad753805ad6fcc8c39a10a3f4707
                                              • Instruction Fuzzy Hash: 08714671E00219CFDF24CFA8C844BADBBB1FB44305F15806AD856BB290C7385956DF44
                                              Function 004069EC Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                              • Instruction ID: eb15c3353e008649bdc799d0a197d89dfb60748dd6a42a5e4cae05a50034cddc
                                              • Opcode Fuzzy Hash: aa3d38d161a72bddb6f80e1dac2624ab657c9951173fd352498b2eb393463e7a
                                              • Instruction Fuzzy Hash: 67714571E00229DBDF28CF98C844BADBBB1FF44305F11806AD956BB291C7789A66DF44
                                              Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000,?), ref: 004051B6
                                                • Part of subcall function 0040517E: lstrlenW.KERNEL32(00403160,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000000,0040FEC0,00000000,?,?,?,?,?,?,?,?,?,00403160,00000000), ref: 004051C6
                                                • Part of subcall function 0040517E: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00403160), ref: 004051D9
                                                • Part of subcall function 0040517E: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll), ref: 004051EB
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405211
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040522B
                                                • Part of subcall function 0040517E: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405239
                                              • LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
                                              • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                              • String ID:
                                              • API String ID: 334405425-0
                                              • Opcode ID: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                              • Instruction ID: 21b843afec6b7294a3944f79e0bc8b5a0bfae5b7739fd4420ef7f1bee797e933
                                              • Opcode Fuzzy Hash: 769524c23f991487a21dbaf07a66c829b44ae02e5e1e2e6f5b4f8137b49dd7d9
                                              • Instruction Fuzzy Hash: D0219531904219FBCF20AFA5CE48A9E7EB1AF00354F60427BF500B51E1C7B98E81DA5E
                                              Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNEL32(00000000), ref: 00401BA7
                                              • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree
                                              • String ID: Call
                                              • API String ID: 3394109436-1824292864
                                              • Opcode ID: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
                                              • Instruction ID: 6437723b9896d782a6b7fabab6bc3621d1df67fb8e76a078729fc3794235ac76
                                              • Opcode Fuzzy Hash: c75ea88796058ca8b22c76bcb72d404b7a86f9b33cc07dbe0f48447b8f38d296
                                              • Instruction Fuzzy Hash: 5D219672610102ABCB20EFA4CD8595EB7F5EF44314725403BF606B72D1DB7898519F9D
                                              Function 004021EA Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00406362: FindFirstFileW.KERNELBASE(74DF3420,00425758,00424F10,00405B24,00424F10,00424F10,00000000,00424F10,00424F10,74DF3420,?,C:\Users\user\AppData\Local\Temp\,00405830,?,74DF3420,C:\Users\user\AppData\Local\Temp\), ref: 0040636D
                                                • Part of subcall function 00406362: FindClose.KERNEL32(00000000), ref: 00406379
                                              • lstrlenW.KERNEL32 ref: 0040222A
                                              • lstrlenW.KERNEL32(00000000), ref: 00402235
                                              • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 0040225E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FileFindlstrlen$CloseFirstOperation
                                              • String ID:
                                              • API String ID: 1486964399-0
                                              • Opcode ID: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                              • Instruction ID: a51eb5c21c24ccf5f085ee56c44e06b553b0ed758517026afe0ec9d6213df78e
                                              • Opcode Fuzzy Hash: 450579e11224428eb85b903523daf66f1f9c0cb95d71209448310f09a175b178
                                              • Instruction Fuzzy Hash: AF117071D00218AACB10EFF98D49A9EB7FCAF14314F10817BB805FB2D5D6B8C9018B59
                                              Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                              • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
                                              • RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Enum$CloseOpenValue
                                              • String ID:
                                              • API String ID: 167947723-0
                                              • Opcode ID: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                              • Instruction ID: 9b49ef4685d11130b37b7b0c6276d492a5168a4a944959f4997216c5b5c768b0
                                              • Opcode Fuzzy Hash: e49789553f80df71b5a8f015121ca27de6b49ec1f8e30f59fb023453b2c57a8d
                                              • Instruction Fuzzy Hash: 1FF06D72A04204BBE7209F659E88ABF766DEF80354B10843AF505B61D0D6B85D419B6A
                                              Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ErrorLast_open
                                              • String ID:
                                              • API String ID: 1632358481-0
                                              • Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                              • Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
                                              • Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
                                              • Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55
                                              Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                              • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
                                              • RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                              • Instruction ID: 318f25c97078b56e75ac6278506f01b5a34a300aa28fb7ae5d2085b0d3939190
                                              • Opcode Fuzzy Hash: 46bcc4b3199a8b76a7f894541cf2928c5a0d53ab3603f3d9be04bc57294c3f71
                                              • Instruction Fuzzy Hash: F7117331915205EFDB14CFA4DA489BEB7B4EF44354F20843FE405B72D0D6B85A41DB5A
                                              Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                              • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                              • Instruction ID: 1e7952006d9e226a8eb598a62733b1cad305e59e596fc6f41a9a7203fe322f79
                                              • Opcode Fuzzy Hash: 1f472dfcc894d90b0504cb8d955b7f6dcf6f20f1f7a064cd725307f95b817da4
                                              • Instruction Fuzzy Hash: 9401D131B24210EBE7295B389C05B6A3698E720318F10867EB915F62F1DA78DC028B5D
                                              Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00402CC9: RegOpenKeyExW.ADVAPI32(00000000,?,00000000,00000022,00000000,?,?), ref: 00402CF1
                                              • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402347
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CloseDeleteOpenValue
                                              • String ID:
                                              • API String ID: 849931509-0
                                              • Opcode ID: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                              • Instruction ID: 78bc400ea2c38a342dc409f04ff34772de2348df94907e049583a87c4894aa7b
                                              • Opcode Fuzzy Hash: cfb8fc06a93b176d0500bd6125704b8e8f0a89c3110928963136810bc9385231
                                              • Instruction Fuzzy Hash: F2F0AF33A04100ABEB10BFB48A4EABE72699B40314F14843BF501B71D1C9FC9D025629
                                              Function 00405251 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OleInitialize.OLE32(00000000), ref: 00405261
                                                • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                              • OleUninitialize.OLE32(00000404,00000000), ref: 004052AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: InitializeMessageSendUninitialize
                                              • String ID:
                                              • API String ID: 2896919175-0
                                              • Opcode ID: 31e57a3ef9e746435923b88dfd7bb1bf8fe4b89e6011e28fe58d1acc60f219fe
                                              • Instruction ID: 23d8d539379559b4eeea4a3d011d76145f80a4753e0c5d54cb32e1048881e4d2
                                              • Opcode Fuzzy Hash: 31e57a3ef9e746435923b88dfd7bb1bf8fe4b89e6011e28fe58d1acc60f219fe
                                              • Instruction Fuzzy Hash: 98F09073A04600EBEA219754A905B5773A4EFA0311F0548BEFE44B62E1D7795C428E6D
                                              Function 004063F5 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(?,?,00000020,004032D6,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00406407
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00406422
                                                • Part of subcall function 00406389: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063A0
                                                • Part of subcall function 00406389: wsprintfW.USER32 ref: 004063DB
                                                • Part of subcall function 00406389: LoadLibraryW.KERNELBASE(?), ref: 004063EB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                              • String ID:
                                              • API String ID: 2547128583-0
                                              • Opcode ID: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                              • Instruction ID: a9e24e321ddd3f073a9e6a165911cd393abac726806fbc755e3780b1e63cb1a6
                                              • Opcode Fuzzy Hash: d7ac541ed48af1eacb80342b8b251201fb822529d60d72dade8e8733a6d6c095
                                              • Instruction Fuzzy Hash: A7E086326082216BD31157745D4493B67A89BD5740306083EFD06F6181D734AC2296AD
                                              Function 00401DDC Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DF2
                                              • EnableWindow.USER32(00000000,00000000), ref: 00401DFD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Window$EnableShow
                                              • String ID:
                                              • API String ID: 1136574915-0
                                              • Opcode ID: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                              • Instruction ID: c4cc9d8bc17b60f52f9d6b5ec52db5efc6ce13511ecacb80f957bec5d45ae41a
                                              • Opcode Fuzzy Hash: 5b4dded21515e85cdd7dd763c9abdbba58e278b110e9914daaceba62c2ae1f2f
                                              • Instruction Fuzzy Hash: 69E08C32A04100ABC720AFB5AE8999E3375EF50369B10047BE402F10E1C6BCAC408A6E
                                              Function 00405BF4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                              • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: File$AttributesCreate
                                              • String ID:
                                              • API String ID: 415043291-0
                                              • Opcode ID: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                              • Instruction ID: be88a92cb82447fd1599dbd49a9896cb6db060ceaa3ec03b2970cb079924df1d
                                              • Opcode Fuzzy Hash: 742792ff7842fdd919adb4f35d156b5e8b6622b1384091bd21e9a064bfd9155a
                                              • Instruction Fuzzy Hash: FDD09E71658201AFEF098F20DE16F2E7AA2EB84B00F10562CB642940E0D6B15815DB16
                                              Function 004056CA Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNELBASE(?,00000000,0040325D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004056D0
                                              • GetLastError.KERNEL32 ref: 004056DE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CreateDirectoryErrorLast
                                              • String ID:
                                              • API String ID: 1375471231-0
                                              • Opcode ID: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                              • Instruction ID: d706e5ae47c7ee36432b9320fd90c1f42ce8b6abbc3a43a90ad219fc8104f268
                                              • Opcode Fuzzy Hash: d8dd424ede50ccfac4b7523ad15fca3fe61b3a2743ebd4ec855a49df1000c641
                                              • Instruction Fuzzy Hash: 5DC04C30A19602DBDA105B31DD0871B7954AB50742F60CD36610AE51A0DA769811DD3E
                                              Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0
                                                • Part of subcall function 00405F66: wsprintfW.USER32 ref: 00405F73
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FilePointerwsprintf
                                              • String ID:
                                              • API String ID: 327478801-0
                                              • Opcode ID: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                              • Instruction ID: 1ea0f4fe546ff0a6cc1a224cb0175f0568d280dd86a823eff906e537ce259dc5
                                              • Opcode Fuzzy Hash: 64c495f6a90fc039130ad8c13d00fda46c397e26af27c45f3e8a2568f411c02f
                                              • Instruction Fuzzy Hash: DBE01A72A05514ABDB11AFA59E4ACAF766AEB40328B14443BF105F00E1C67D8D019A2E
                                              Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: PrivateProfileStringWrite
                                              • String ID:
                                              • API String ID: 390214022-0
                                              • Opcode ID: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                              • Instruction ID: 900e0ed31166daec82b0b067df29ce1ac5916d1a5491b2584b310d9ae4f56f06
                                              • Opcode Fuzzy Hash: 0286e3c2219f2336aac24a8adfc5af7a950c5186903a8fadcfb356e78ce5c9c9
                                              • Instruction Fuzzy Hash: 5BE04F319001246ADB113EF10E8ED7F31695B40314B1405BFB511B66C6D5FC1D4146A9
                                              Function 0040172D Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                              Download Yara Rule
                                              APIs
                                              • SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401741
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: PathSearch
                                              • String ID:
                                              • API String ID: 2203818243-0
                                              • Opcode ID: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                              • Instruction ID: 0851ebd2278d1e7daa5b6d30d0a19f3cab84c03b6f2ce2edda3e72f353adab80
                                              • Opcode Fuzzy Hash: 81b4f86a52adf68e4702c4bb0bdf75428b0e0818ea45aab8824d6c610dacd1e5
                                              • Instruction Fuzzy Hash: DAE04F72304100ABD710CFA4DE49AAA77ACDB403A8F20457BE615A61D1E6B49A41972D
                                              Function 00405C77 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040321F,00000000,00000000,00403076,000000FF,00000004,00000000,00000000,00000000), ref: 00405C8B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FileRead
                                              • String ID:
                                              • API String ID: 2738559852-0
                                              • Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                              • Instruction ID: b406f17295b0c4e2c80a39b4892fee2aa768816fba0af151b3e099c9f54450aa
                                              • Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
                                              • Instruction Fuzzy Hash: 3BE08632114259ABDF119E508C04EEB3B5CEB04350F004436F911E3180D230E9209BA4
                                              Function 00405CA6 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004031ED,00000000,0040BEC0,?,0040BEC0,?,000000FF,00000004,00000000), ref: 00405CBA
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                              • Instruction ID: 8766ac6266e8b07294e6d952513c2b0c694ccf73d68c0bd44325f5ff4784c02c
                                              • Opcode Fuzzy Hash: 00c0377323aa53eb430c82b83f01e62a2601c7c92c94a0140a128221a0f71a88
                                              • Instruction Fuzzy Hash: D4E08C3222835AABEF119E548C00EEB3B6CEB01360F004833F915E3190E231E9209BA8
                                              Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ProtectVirtual
                                              • String ID:
                                              • API String ID: 544645111-0
                                              • Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                              • Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
                                              • Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
                                              • Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19
                                              Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: PrivateProfileString
                                              • String ID:
                                              • API String ID: 1096422788-0
                                              • Opcode ID: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                              • Instruction ID: 98211d2feed0509b4c5daa86fa820328d7278c452558b0b50cc2825d3d111cbc
                                              • Opcode Fuzzy Hash: 66f8b3e970e184d3ebc304a94ec291b034400799dc8d029390466380a40aecae
                                              • Instruction Fuzzy Hash: 64E04F30800204BBDF01AFA4CD49DBD3B79AB00344F14043AF900AB1D5E7F89A809749
                                              Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: AttributesFile
                                              • String ID:
                                              • API String ID: 3188754299-0
                                              • Opcode ID: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                              • Instruction ID: 1b5af1e6617a4a9cd807fc22027cae36a39ca3b3e6b8606dbe65da2ef404c620
                                              • Opcode Fuzzy Hash: a6288d54b80525e4349bfae1f7e543b331b6d0696a7466d7176cefea4ee373d8
                                              • Instruction Fuzzy Hash: 41D01233B04100DBCB10DFA89A0869D77659B40334B208677D501F21E5D6B9C5515A19
                                              Function 0040412F Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                              • Instruction ID: 1f6dcfa326d5252f97bf96967583e82957cdc04532489552bbed9deb9ca34131
                                              • Opcode Fuzzy Hash: c20ba2f4b44bb730ed9beb80e31de2705d99c650012490af2887c79ee983c6a6
                                              • Instruction Fuzzy Hash: 26C09B757443017BDA318F509D49F27775867A4700F2544397350F70D0C774E451D61D
                                              Function 00404118 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(00000028,?,00000001,00403F44), ref: 00404126
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend
                                              • String ID:
                                              • API String ID: 3850602802-0
                                              • Opcode ID: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                              • Instruction ID: 29b39a71cad52391c8dc255d064a3e1ff9ef0cb324877085b5716ecfb2dd3a49
                                              • Opcode Fuzzy Hash: 60aa1d835f0e1251744f08a8622f304abcf8d31a66d486a38430c06eb2f41270
                                              • Instruction Fuzzy Hash: 80B09236A84200BADA214B00ED09F857A62A76C701F008864B300240B0CAB284A2DB19
                                              Function 00403222 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,00403504,?), ref: 00403230
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FilePointer
                                              • String ID:
                                              • API String ID: 973152223-0
                                              • Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                              • Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
                                              • Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
                                              • Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D
                                              Function 00404105 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                              Download Yara Rule
                                              APIs
                                              • KiUserCallbackDispatcher.NTDLL(?,00403EDD), ref: 0040410F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CallbackDispatcherUser
                                              • String ID:
                                              • API String ID: 2492992576-0
                                              • Opcode ID: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                              • Instruction ID: 08b0993790eca83da4683932159a1945e4cd9185bce414af844fcd550f832719
                                              • Opcode Fuzzy Hash: d47f543a0a5cf9255e047f9efd0c7089eb13675c2c376fedb6fe0e8f1e294cbf
                                              • Instruction Fuzzy Hash: 9AA01132808000ABCA028B80EF08C0ABB22FBE0300B008838F2008003083320820EB0A
                                              Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNELBASE(00000000), ref: 004014E6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Sleep
                                              • String ID:
                                              • API String ID: 3472027048-0
                                              • Opcode ID: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                              • Instruction ID: 97e26b744c28169e8b025be137c519adc4d29a227e598783c976d4988d520b86
                                              • Opcode Fuzzy Hash: 70669ac5e73c5e0fd120337f743f0ec3388cc295a7de1ade3031c69f4afd3847
                                              • Instruction Fuzzy Hash: 47D0C977B14100ABD720EFB9AE898AB73ACEB513293204833D902E10A2D579D802866D
                                              Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: AllocGlobal
                                              • String ID:
                                              • API String ID: 3761449716-0
                                              • Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                              • Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
                                              • Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
                                              • Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

                                              Non-executed Functions

                                              Function 00404AFA Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003F9), ref: 00404B12
                                              • GetDlgItem.USER32(?,00000408), ref: 00404B1D
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 00404B67
                                              • LoadBitmapW.USER32(0000006E), ref: 00404B7A
                                              • SetWindowLongW.USER32(?,000000FC,004050F2), ref: 00404B93
                                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BA7
                                              • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BB9
                                              • SendMessageW.USER32(?,00001109,00000002), ref: 00404BCF
                                              • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BDB
                                              • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404BED
                                              • DeleteObject.GDI32(00000000), ref: 00404BF0
                                              • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C1B
                                              • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C27
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CBD
                                              • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CE8
                                              • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CFC
                                              • GetWindowLongW.USER32(?,000000F0), ref: 00404D2B
                                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D39
                                              • ShowWindow.USER32(?,00000005), ref: 00404D4A
                                              • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E47
                                              • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EAC
                                              • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EC1
                                              • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EE5
                                              • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F05
                                              • ImageList_Destroy.COMCTL32(?), ref: 00404F1A
                                              • GlobalFree.KERNEL32(?), ref: 00404F2A
                                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FA3
                                              • SendMessageW.USER32(?,00001102,?,?), ref: 0040504C
                                              • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040505B
                                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0040507B
                                              • ShowWindow.USER32(?,00000000), ref: 004050C9
                                              • GetDlgItem.USER32(?,000003FE), ref: 004050D4
                                              • ShowWindow.USER32(00000000), ref: 004050DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                              • String ID: $M$N
                                              • API String ID: 1638840714-813528018
                                              • Opcode ID: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                              • Instruction ID: d9c0fbcad293e7aaadacffa1f228c55c0cff6ebba89157b443eef3cf19c2f35f
                                              • Opcode Fuzzy Hash: 00f807dd19097039cdfae8d42ef0864fc158edb6895af2579c06ee0ad68b6d60
                                              • Instruction Fuzzy Hash: AF026FB0A00209EFDB209F54DD85AAE7BB5FB84314F10857AF610BA2E1D7799D42CF58
                                              Function 0040457E Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,000003FB), ref: 004045CD
                                              • SetWindowTextW.USER32(00000000,?), ref: 004045F7
                                              • SHBrowseForFolderW.SHELL32(?), ref: 004046A8
                                              • CoTaskMemFree.OLE32(00000000), ref: 004046B3
                                              • lstrcmpiW.KERNEL32(Call,00422708,00000000,?,?), ref: 004046E5
                                              • lstrcatW.KERNEL32(?,Call), ref: 004046F1
                                              • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404703
                                                • Part of subcall function 00405748: GetDlgItemTextW.USER32(?,?,00000400,0040473A), ref: 0040575B
                                                • Part of subcall function 004062B3: CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\Unspuriousness.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                                • Part of subcall function 004062B3: CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                                • Part of subcall function 004062B3: CharNextW.USER32(00409300,"C:\Users\user\Desktop\Unspuriousness.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                                • Part of subcall function 004062B3: CharPrevW.USER32(00409300,00409300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                              • GetDiskFreeSpaceW.KERNEL32(004206D8,?,?,0000040F,?,004206D8,004206D8,?,00000001,004206D8,?,?,000003FB,?), ref: 004047C6
                                              • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004047E1
                                                • Part of subcall function 0040493A: lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                                • Part of subcall function 0040493A: wsprintfW.USER32 ref: 004049E4
                                                • Part of subcall function 0040493A: SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                              • String ID: A$C:\Users\user\AppData\Local\outsplendour\urite$Call
                                              • API String ID: 2624150263-2295503529
                                              • Opcode ID: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                              • Instruction ID: 5fc8bddc00f1cc174a6dc329f65f284a7a254117467b0892f0b405221262b822
                                              • Opcode Fuzzy Hash: 9fff75d44962757429dc3e2902d1974289698b17ee3baa263f594784ad652460
                                              • Instruction Fuzzy Hash: D9A150B1D00209ABDB11AFA5CC85AAF77B8EF84315F11843BF611B72D1D77C8A418B69
                                              Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                              • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
                                              • lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
                                              • lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
                                              • GlobalFree.KERNEL32(00000000), ref: 10001C89
                                              • GlobalFree.KERNEL32(?), ref: 10001D83
                                              • GlobalFree.KERNEL32(?), ref: 10001D88
                                              • GlobalFree.KERNEL32(?), ref: 10001D8D
                                              • GlobalFree.KERNEL32(00000000), ref: 10001F38
                                              • lstrcpyW.KERNEL32(?,?), ref: 1000209C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$Free$lstrcpy$Alloc
                                              • String ID:
                                              • API String ID: 4227406936-0
                                              • Opcode ID: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                              • Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
                                              • Opcode Fuzzy Hash: cb62190180ed0d4702abe35055169a0b89ef54aebb667e4c8f91c694d9f7fe89
                                              • Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50
                                              Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CoCreateInstance.OLE32(0040749C,?,00000001,0040748C,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114
                                              Strings
                                              • C:\Users\user\AppData\Local\outsplendour\urite\autograferet, xrefs: 00402154
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CreateInstance
                                              • String ID: C:\Users\user\AppData\Local\outsplendour\urite\autograferet
                                              • API String ID: 542301482-2631710045
                                              • Opcode ID: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                              • Instruction ID: 6cbe38940624da38e40774ab578681f1f604b85ca8fb8198b005fe2b44c0e728
                                              • Opcode Fuzzy Hash: f6c9e515521f1fa62750a1a75da94e91cc5d062543102a3a6cbb304dea821779
                                              • Instruction Fuzzy Hash: A7411D75A00208AFCF00DFA4CD889AD7BB5FF48314B20457AF515EB2D1D7799A41CB55
                                              Function 00404280 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040431E
                                              • GetDlgItem.USER32(?,000003E8), ref: 00404332
                                              • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040434F
                                              • GetSysColor.USER32(?), ref: 00404360
                                              • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040436E
                                              • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040437C
                                              • lstrlenW.KERNEL32(?), ref: 00404381
                                              • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040438E
                                              • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043A3
                                              • GetDlgItem.USER32(?,0000040A), ref: 004043FC
                                              • SendMessageW.USER32(00000000), ref: 00404403
                                              • GetDlgItem.USER32(?,000003E8), ref: 0040442E
                                              • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404471
                                              • LoadCursorW.USER32(00000000,00007F02), ref: 0040447F
                                              • SetCursor.USER32(00000000), ref: 00404482
                                              • ShellExecuteW.SHELL32(0000070B,open,004271C0,00000000,00000000,00000001), ref: 00404497
                                              • LoadCursorW.USER32(00000000,00007F00), ref: 004044A3
                                              • SetCursor.USER32(00000000), ref: 004044A6
                                              • SendMessageW.USER32(00000111,00000001,00000000), ref: 004044D5
                                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 004044E7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                                              • String ID: Call$N$open
                                              • API String ID: 3615053054-2563687911
                                              • Opcode ID: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                              • Instruction ID: 4b5324550c8b175de7ac8ee9e9744dd98fad869a56f6e91fb07d2f074fcd5292
                                              • Opcode Fuzzy Hash: 2c4f6cf5a4aa9f0210a02c82683795d0b5a579b88aa58951f10bca9314f1fa64
                                              • Instruction Fuzzy Hash: F87172B1A00209BFDB109F60DD85E6A7B69FB84354F00853AF705B62E1C778AD51CFA9
                                              Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                              • BeginPaint.USER32(?,?), ref: 00401047
                                              • GetClientRect.USER32(?,?), ref: 0040105B
                                              • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                              • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                              • DeleteObject.GDI32(?), ref: 004010ED
                                              • CreateFontIndirectW.GDI32(?), ref: 00401105
                                              • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                              • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                              • SelectObject.GDI32(00000000,?), ref: 00401140
                                              • DrawTextW.USER32(00000000,00428220,000000FF,00000010,00000820), ref: 00401156
                                              • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                              • DeleteObject.GDI32(?), ref: 00401165
                                              • EndPaint.USER32(?,?), ref: 0040116E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                              • String ID: F
                                              • API String ID: 941294808-1304234792
                                              • Opcode ID: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                              • Instruction ID: b0ee482b8836f8c5ddb0523b9b95fc6b4c0959077eeb464a3039c1fdf8a9f2d7
                                              • Opcode Fuzzy Hash: 6e8d97c549c1634dd7cb3ad4fe557c39b8a0e77cc2ec0408d7783d5d6495b6da
                                              • Instruction Fuzzy Hash: F6418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF951AA1A0C738EA51DFA5
                                              Function 00405D4E Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcpyW.KERNEL32(00425DA8,NUL), ref: 00405D5D
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00409300,00405EE1,?,?), ref: 00405D81
                                              • GetShortPathNameW.KERNEL32(?,00425DA8,00000400), ref: 00405D8A
                                                • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                                • Part of subcall function 00405B59: lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                              • GetShortPathNameW.KERNEL32(004265A8,004265A8,00000400), ref: 00405DA7
                                              • wsprintfA.USER32 ref: 00405DC5
                                              • GetFileSize.KERNEL32(00000000,00000000,004265A8,C0000000,00000004,004265A8,?,?,?,?,?), ref: 00405E00
                                              • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E0F
                                              • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E47
                                              • SetFilePointer.KERNEL32(00409578,00000000,00000000,00000000,00000000,004259A8,00000000,-0000000A,00409578,00000000,[Rename],00000000,00000000,00000000), ref: 00405E9D
                                              • GlobalFree.KERNEL32(00000000), ref: 00405EAE
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EB5
                                                • Part of subcall function 00405BF4: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405BF8
                                                • Part of subcall function 00405BF4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,00403504,?), ref: 00405C1A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
                                              • String ID: %ls=%ls$NUL$[Rename]
                                              • API String ID: 222337774-899692902
                                              • Opcode ID: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                              • Instruction ID: 907d7383bdf99192a2874dfd68d01e77647b980fe5b363d6f0c9d0989479472f
                                              • Opcode Fuzzy Hash: e80570f2f8cd2c9f135b21ee9e2312080ea8554e7c88b9adf45b38d7f754558e
                                              • Instruction Fuzzy Hash: 88311F71A05B14BBD6206B229C48F6B3A6CDF45755F14043ABE41F62D2DA3CEE018AFD
                                              Function 100022D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalFree.KERNEL32(00000000), ref: 10002416
                                                • Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C
                                              • GlobalAlloc.KERNEL32(00000040), ref: 10002397
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                              • String ID: @Hmu
                                              • API String ID: 4216380887-887474944
                                              • Opcode ID: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                              • Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
                                              • Opcode Fuzzy Hash: 629548a8d80b156119ca260ddfff41e2ac9599e7dc7e49857da4672f8da03f10
                                              • Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61
                                              Function 004062B3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                              Download Yara Rule
                                              APIs
                                              • CharNextW.USER32(00409300,*?|<>/":,00000000,"C:\Users\user\Desktop\Unspuriousness.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 00406316
                                              • CharNextW.USER32(00409300,00409300,00409300,00000000), ref: 00406325
                                              • CharNextW.USER32(00409300,"C:\Users\user\Desktop\Unspuriousness.exe",74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040632A
                                              • CharPrevW.USER32(00409300,00409300,74DF3420,C:\Users\user\AppData\Local\Temp\,00000000,00403245,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 0040633D
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004062B4
                                              • *?|<>/":, xrefs: 00406305
                                              • "C:\Users\user\Desktop\Unspuriousness.exe", xrefs: 004062F7
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Char$Next$Prev
                                              • String ID: "C:\Users\user\Desktop\Unspuriousness.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 589700163-2159154759
                                              • Opcode ID: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                              • Instruction ID: 54bf27a4ef4c29ba7f7e7f80dc621db20ebbd613429789f6f10e18307ece98db
                                              • Opcode Fuzzy Hash: 6a1238fba9ba947ddf3d1c913c8afd34c4b382e8901ee0696378a8a11e3e1ee4
                                              • Instruction Fuzzy Hash: B711946A80021295EB313B198C40AB7B6F8EF59750F56417FED86B32C0E77C5C9286ED
                                              Function 0040414A Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetWindowLongW.USER32(?,000000EB), ref: 00404167
                                              • GetSysColor.USER32(00000000), ref: 00404183
                                              • SetTextColor.GDI32(?,00000000), ref: 0040418F
                                              • SetBkMode.GDI32(?,?), ref: 0040419B
                                              • GetSysColor.USER32(?), ref: 004041AE
                                              • SetBkColor.GDI32(?,?), ref: 004041BE
                                              • DeleteObject.GDI32(?), ref: 004041D8
                                              • CreateBrushIndirect.GDI32(?), ref: 004041E2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                              • String ID:
                                              • API String ID: 2320649405-0
                                              • Opcode ID: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                              • Instruction ID: 457b5273a6ad35ed29f896ddd043663fa6b3a1b95e22c78e57b6691615e2b460
                                              • Opcode Fuzzy Hash: bdecbf54746ac4e95bafbcd3f7306951f606de83f5b9b49a03f8dc0a3bab15ec
                                              • Instruction Fuzzy Hash: 1921A1B1804704ABCB219F68DD4CB4BBBF8AF40710F048A29ED92E62E0D734E944CB65
                                              Function 00404A48 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A63
                                              • GetMessagePos.USER32 ref: 00404A6B
                                              • ScreenToClient.USER32(?,?), ref: 00404A85
                                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404A97
                                              • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ABD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Message$Send$ClientScreen
                                              • String ID: f
                                              • API String ID: 41195575-1993550816
                                              • Opcode ID: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                              • Instruction ID: 42cc3fd90da340ed33e1658783c39be2c5e0210da91f3d0a8fd677c6224e58ad
                                              • Opcode Fuzzy Hash: 8f99d7edcbb1b2af9b03d3486fc4037292eab20d77c75a8c6737f0729fb79e96
                                              • Instruction Fuzzy Hash: 19015E71E40218BADB00DB94DD85FFEBBBCAF54711F10016BBB11B61D0D7B8AA058BA5
                                              Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
                                              • MulDiv.KERNEL32(0007CB28,00000064,0007CD2C), ref: 00402D4D
                                              • wsprintfW.USER32 ref: 00402D5D
                                              • SetWindowTextW.USER32(?,?), ref: 00402D6D
                                              • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F
                                              Strings
                                              • verifying installer: %d%%, xrefs: 00402D57
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Text$ItemTimerWindowwsprintf
                                              • String ID: verifying installer: %d%%
                                              • API String ID: 1451636040-82062127
                                              • Opcode ID: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                              • Instruction ID: 02b4a25e1ca2abb3aa07e0940f0a1006ed88c36cf357b8fab3844828eab6b7e4
                                              • Opcode Fuzzy Hash: a68141ec73b2a7b0005fea9bea2e0a343ee18c9164241d5958d7192c74469446
                                              • Instruction Fuzzy Hash: 3E01F471640209ABEF249F61DD49FEA3B69EB04305F008035FA05A92D1DBB999548F59
                                              Function 00401D56 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(?), ref: 00401D59
                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
                                              • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
                                              • ReleaseDC.USER32(?,00000000), ref: 00401D86
                                              • CreateFontIndirectW.GDI32(0040BDD0), ref: 00401DD1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CapsCreateDeviceFontIndirectRelease
                                              • String ID: Calibri
                                              • API String ID: 3808545654-1409258342
                                              • Opcode ID: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                              • Instruction ID: f0de02ddeea559f0acc09b7c654b6cc4e6647674a776793065cdf7257ef1e696
                                              • Opcode Fuzzy Hash: 787a0cc1cae73e127cbf34e01b63a76a3b17128f4cf73ed1ac2ca508eda492e0
                                              • Instruction Fuzzy Hash: FF01A231948244BFE701ABB0AE5EBDA7F74EB65305F004479F551B62E2C77810008B6E
                                              Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225
                                              • GlobalFree.KERNEL32(?), ref: 10002572
                                              • GlobalFree.KERNEL32(00000000), ref: 100025AD
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                              • Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
                                              • Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
                                              • Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69
                                              Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
                                              • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
                                              • GlobalFree.KERNEL32(?), ref: 004028E9
                                              • GlobalFree.KERNEL32(00000000), ref: 004028FC
                                              • CloseHandle.KERNEL32(?), ref: 00402914
                                              • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$AllocFree$CloseDeleteFileHandle
                                              • String ID:
                                              • API String ID: 2667972263-0
                                              • Opcode ID: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                              • Instruction ID: ec7c0e824f3835a9a78c8c015c1ffbc75d15747d838d6b82ce361eed526a9b83
                                              • Opcode Fuzzy Hash: c99e75e815088827c1258b7acf54df8f73be09f40f6a95f4dee1418f96471bdf
                                              • Instruction Fuzzy Hash: 1B219E72C00118BBCF216FA5CD49D9E7E79EF09324F24027AF520762E1C7796D419BA9
                                              Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
                                              • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ByteCharMultiWidelstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\nskD5BD.tmp$C:\Users\user\AppData\Local\Temp\nskD5BD.tmp\System.dll
                                              • API String ID: 3109718747-3857331897
                                              • Opcode ID: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                              • Instruction ID: bfa6d714be92c4527cef4f8895cb5ef110114927b7979418da5827123998f54c
                                              • Opcode Fuzzy Hash: 715fabf3e67b8bec35f68e4add7a96e8096e5f07f569c16d6c81191c829a4425
                                              • Instruction Fuzzy Hash: AE110A72A41204BEDB10AFB58F4AE9E3669AF54394F20403BF402F61C2D6FC8E41466D
                                              Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: FreeGlobal
                                              • String ID:
                                              • API String ID: 2979337801-0
                                              • Opcode ID: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                              • Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
                                              • Opcode Fuzzy Hash: 6c55de20ad7b96facff27c14a8ebfd7daad2c96d4471c7aede05205b14c98be4
                                              • Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792
                                              Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
                                              • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
                                              • GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
                                              • GlobalFree.KERNEL32(00000000), ref: 10001642
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                              • String ID:
                                              • API String ID: 1148316912-0
                                              • Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                              • Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
                                              • Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
                                              • Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1
                                              Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDlgItem.USER32(?,?), ref: 00401D00
                                              • GetClientRect.USER32(00000000,?), ref: 00401D0D
                                              • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
                                              • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
                                              • DeleteObject.GDI32(00000000), ref: 00401D4B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                              • String ID:
                                              • API String ID: 1849352358-0
                                              • Opcode ID: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                              • Instruction ID: fda10597d29eaa6b078217e10feb255e8dba845150ef54d65940bec6a2f4d034
                                              • Opcode Fuzzy Hash: 2257fd8ab512881f6a75dfd94c1adc6df68088fb9580fd68ddbbd23d113039a2
                                              • Instruction Fuzzy Hash: 3AF0C972A04104AFDB11DBA4EE88CEEBBBDEB48311B104566F602F61A1C675ED418B39
                                              Function 0040493A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(00422708,00422708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 004049DB
                                              • wsprintfW.USER32 ref: 004049E4
                                              • SetDlgItemTextW.USER32(?,00422708), ref: 004049F7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: ItemTextlstrlenwsprintf
                                              • String ID: %u.%u%s%s
                                              • API String ID: 3540041739-3551169577
                                              • Opcode ID: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                              • Instruction ID: f455ebafcbecf6c6930287b8ee8bcbe2db44ea01d8d71c40407b913fda14730a
                                              • Opcode Fuzzy Hash: d85f7ca716c1f5658b91c6656715b5566f7677be60d31edad64312fde4761ef2
                                              • Instruction Fuzzy Hash: D611D87364412867DB10A6BD9C45EAF3288DB85374F250237FA26F61D2DA798C6182D8
                                              Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
                                              • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: MessageSend$Timeout
                                              • String ID: !
                                              • API String ID: 1777923405-2657877971
                                              • Opcode ID: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                              • Instruction ID: a67f43666b390050b7c93cc16dc22df3288c4645dfbd1c9967af83c22614668d
                                              • Opcode Fuzzy Hash: 89185f19cab5c9d2123c9567e553a40f312bc8837cbfc1fecf3123f783c5ad12
                                              • Instruction Fuzzy Hash: 7C21B071944209BEEF01AFB0CE4AABE7B75EB40304F10403EF601B61D1D6B89A409B69
                                              Function 004059D3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059D9
                                              • CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403257,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403496), ref: 004059E3
                                              • lstrcatW.KERNEL32(?,00409014), ref: 004059F5
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004059D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrcatlstrlen
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 2659869361-3081826266
                                              • Opcode ID: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                              • Instruction ID: e27ca5b6c843e4ca6b7b7419ee0e736cc2f4fee1b15a20ddc9c218eb8b1253ea
                                              • Opcode Fuzzy Hash: d7e49c6a6175e7957920a8ebfa112e8ed7db4acdde4d4b40ed7b02ca79cf1c4c
                                              • Instruction Fuzzy Hash: 1DD0A761101930AAC212E7488C00DDF729CAE55345341003BF107B30B1C7781D5287FE
                                              Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                              Download Yara Rule
                                              APIs
                                              • DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,00403504,?), ref: 00402D9D
                                              • GetTickCount.KERNEL32 ref: 00402DBB
                                              • CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
                                              • ShowWindow.USER32(00000000,00000005,?,?,00000000,00403504,?), ref: 00402DE6
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Window$CountCreateDestroyDialogParamShowTick
                                              • String ID:
                                              • API String ID: 2102729457-0
                                              • Opcode ID: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                              • Instruction ID: e23ac89653febb243e72dcf23735aaa2031a226b5032255065ec6e4c9dbb6a99
                                              • Opcode Fuzzy Hash: 5b077e3499f9c07bbd95dc59ca3d471d91709291d8f5bd327ee9b7f2041f6974
                                              • Instruction Fuzzy Hash: B3F0F431909220EBC6516B54FD4C9DB7F75FB4571270149B7F001B11E4D7B95C818BAD
                                              Function 004050F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • IsWindowVisible.USER32(?), ref: 00405121
                                              • CallWindowProcW.USER32(?,?,?,?), ref: 00405172
                                                • Part of subcall function 0040412F: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404141
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Window$CallMessageProcSendVisible
                                              • String ID:
                                              • API String ID: 3748168415-3916222277
                                              • Opcode ID: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                              • Instruction ID: 7511a9737e1ae187a562f2e55163cfa394ea92b9daba136d2a61478abf79871a
                                              • Opcode Fuzzy Hash: e363e72c763df8ca6100096d80b3df6051651a231830df88c35e98c850c37b72
                                              • Instruction Fuzzy Hash: 41015E71A40709BBDF219F11DD84B6B3626E794754F144136FA017E1D1C3BA8C919E2D
                                              Function 004037D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • FreeLibrary.KERNEL32(?,74DF3420,00000000,C:\Users\user\AppData\Local\Temp\,004037AB,004035C0,?), ref: 004037ED
                                              • GlobalFree.KERNEL32(?), ref: 004037F4
                                              Strings
                                              • C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Free$GlobalLibrary
                                              • String ID: C:\Users\user\AppData\Local\Temp\
                                              • API String ID: 1100898210-3081826266
                                              • Opcode ID: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                              • Instruction ID: 66f8bddb8dfdb1964ca55d912e2b06e4102c5475863404a2afc710826c1672a2
                                              • Opcode Fuzzy Hash: b2d9a1ddbba9b9f3ee0b0ea3bd9ee1620ba51efa6b86355baead2e8ed11cdd1d
                                              • Instruction Fuzzy Hash: CAE0C2B39051206BC7311F04EC08B1AB7BC7F88B32F05416AE8407B3B087742C528BC9
                                              Function 00405A1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unspuriousness.exe,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A25
                                              • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Unspuriousness.exe,C:\Users\user\Desktop\Unspuriousness.exe,80000000,00000003,?,?,00000000,00403504,?), ref: 00405A35
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: CharPrevlstrlen
                                              • String ID: C:\Users\user\Desktop
                                              • API String ID: 2709904686-224404859
                                              • Opcode ID: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                              • Instruction ID: 5bbf66532c1e6c52d9ac91e78c5b81189c295a76ad9a8eb5813a93f974e07d29
                                              • Opcode Fuzzy Hash: bd96f5d222dd2e219d7186a4e9023239cf4eadd8ba915765e0199ed169867e67
                                              • Instruction Fuzzy Hash: 95D05EB29109209AD322A708DC419AF73ACEF113407464466F401A31A5D3785D818AAA
                                              Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
                                              • GlobalFree.KERNEL32(00000000), ref: 100011C7
                                              • GlobalFree.KERNEL32(00000000), ref: 100011D9
                                              • GlobalFree.KERNEL32(?), ref: 10001203
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4110102768.0000000010001000.00000020.00000001.01000000.00000007.sdmp, Offset: 10000000, based on PE: true
                                              • Associated: 00000000.00000002.4110055552.0000000010000000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110171841.0000000010003000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              • Associated: 00000000.00000002.4110231692.0000000010005000.00000002.00000001.01000000.00000007.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_10000000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: Global$Free$Alloc
                                              • String ID:
                                              • API String ID: 1780285237-0
                                              • Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                              • Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
                                              • Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
                                              • Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765
                                              Function 00405B59 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B69
                                              • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405B81
                                              • CharNextA.USER32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B92
                                              • lstrlenA.KERNEL32(00000000,?,00000000,00405E3A,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.4102037525.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.4102010026.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102067043.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102096434.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.4102320219.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_Unspuriousness.jbxd
                                              Similarity
                                              • API ID: lstrlen$CharNextlstrcmpi
                                              • String ID:
                                              • API String ID: 190613189-0
                                              • Opcode ID: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                              • Instruction ID: 1b7cebc677eab2b4d2404c83280ad7709bae0e65096c4b9ca61da70a623928b5
                                              • Opcode Fuzzy Hash: 9427bd3955d590afca056539d981812bc3008f0de5e2293753a1e4334a8e9224
                                              • Instruction Fuzzy Hash: B9F06231504558AFC7029BA5DD40D9FBBB8EF06250B2540A9E800F7351D674FE019BA9